HTML Decode - Entity Decoder

HTML decoding is the reverse process of HTML encoding - it converts HTML entities back to their original characters. Browsers automatically decode entities like &lt;, &gt;, &amp;, &quot;, and &#39; when rendering HTML, displaying them as <, >, &, ", and ' respectively. HTML decoding tools or functions read entity codes (both named entities like &nbsp; and numeric entities like &#60;), look up their corresponding characters, and replace the entity with the actual character. This process makes encoded text human-readable and restores the original content format. Decoding is necessary when working with stored encoded data, scraped content, or API responses that return HTML entities.

Decode HTML entities when working with web-scraped data that contains entities, processing API responses that return encoded HTML, reading data from databases where content was stored in encoded format, parsing RSS/XML feeds with encoded content, converting stored encoded text for display in non-HTML contexts (like plain text or PDF), or when debugging to see the actual characters behind the entities. Always decode when you need to see the original text, but be cautious about where you display decoded content - never insert decoded untrusted content directly into HTML without re-encoding or sanitization.

Decoding HTML from untrusted sources is potentially dangerous! The decoded content may contain malicious scripts, event handlers, or other XSS attack vectors. For example, decoding &lt;script&gt;alert("XSS")&lt;/script&gt; produces executable code. If you must decode untrusted content: decode it safely, never render it directly in HTML, re-encode it before display, use a content sanitization library (like DOMPurify), display it as plain text only, or validate against a whitelist of allowed characters. The decoding process itself is safe (it happens in your browser), but what you do with the decoded result determines security. Only decode content from trusted sources if you plan to display it as HTML.

HTML decoding and HTML unescaping are the same process - the terms are used interchangeably. Both refer to converting HTML entities back to their original characters. Some programming languages use "decode" (like Python's html.unescape()), while others use "unescape" (like JavaScript), but they perform the same function. The process reverses HTML encoding/escaping by converting entity codes to actual characters. Whether you call it decoding or unescaping depends on the framework or library you're using, but the result is identical: &amp; becomes &, &lt; becomes <, and so on.

Yes! This tool decodes all standard HTML entity types: named entities (like &lt;, &copy;, &nbsp;), decimal numeric entities (like &#60;, &#169;), and hexadecimal numeric entities (like &#x3C;, &#xA9;). Named entities work for ~250 predefined character names. Numeric entities can represent any Unicode character using its code point. The tool automatically detects the entity format and decodes appropriately. However, malformed entities (incomplete patterns, invalid codes, or typos like &ltt; instead of &lt;) won't decode and will remain as-is. Modern browsers are forgiving with entities, but this tool follows strict HTML5 entity decoding standards.

Websites store HTML entities in databases for several reasons: preventing XSS attacks (storing user input as entities prevents script injection), maintaining data integrity (entities preserve special characters without breaking database queries), ensuring safe display (content can be safely inserted into HTML without additional encoding), cross-platform compatibility (entities work consistently across different character encodings), and legacy system support (older systems that couldn't handle UTF-8 relied on entities). However, modern best practice is to store raw UTF-8 text in databases and encode only when rendering to HTML. This makes data more portable and easier to use in non-HTML contexts like JSON APIs or plain text exports.

JavaScript doesn't have a built-in decodeHTML() function, but you can decode entities using the browser's DOM. Create a temporary element, set its innerHTML to the encoded string, then read textContent to get decoded text. Example: const decoded = new DOMParser().parseFromString(encoded, "text/html").documentElement.textContent; Or use a simpler approach: const textarea = document.createElement("textarea"); textarea.innerHTML = encoded; const decoded = textarea.value; Both methods leverage the browser's built-in entity decoding. For Node.js, use the html-entities package or the native he library. Never use this to decode untrusted content that will be inserted back into HTML (also try our <a href="/html-encode" class="text-primary-light dark:text-primary-dark hover:underline">HTML Encoder</a>).

Double-decoding HTML entities can cause issues, especially with ampersands. For example: &amp;lt; (encoded) → &lt; (first decode) → < (second decode). If you decode twice, double-encoded entities become their literal characters, which might break HTML structure or create security vulnerabilities. This is particularly problematic when working with user input that might already contain entities. Always track whether content is encoded or decoded, decode only once, and avoid round-trip encoding/decoding cycles. If you're unsure whether content is encoded, check for entity patterns (&...; format) before decoding. Modern frameworks typically handle this automatically to prevent double-encoding/decoding issues.