Quick answer: decode HTML entities in JavaScript
In a browser, use a detached textarea to decode named entities such as &, decimal entities such as ', and hexadecimal entities such as '.
function decodeHtmlEntities(input) {
const textarea = document.createElement('textarea');
textarea.innerHTML = input;
return textarea.value;
}
decodeHtmlEntities('Tom & Jerry');
// "Tom & Jerry"
This helper returns text. It does not sanitize decoded markup and should not be used as permission to inject unknown HTML into the page.
The scenario
You copy text from a CMS, log file, email template, or API response and see strings such as &, ", , or '. The text is not broken. It is encoded as HTML entities.
Decoding converts those escaped references back into readable characters so you can inspect the original text, clean pasted content, or debug a rendering issue.
What HTML entities mean
HTML entities are character references used inside HTML source. They protect characters that either have special meaning in markup or are hard to type directly.
& -> &
< -> <
> -> >
" -> "
' -> '
-> non-breaking space
Named entities use readable names such as amp or quot. Numeric entities use character codes such as ' or hexadecimal codes such as '.
Decode entities online
Open the HTML Entity Decoder, paste the encoded text, and click Decode. The decoded text appears in the plain text panel.
Encoded:
Tom & Jerry "classic"
Decoded:
Tom & Jerry "classic"
If the output still contains entity text after one pass, the input may have been encoded more than once. Decode one layer at a time so you can see exactly where the double-encoding happened.
Test a JavaScript HTML entity decoder
A few assertions catch the cases that usually break hand-written replacements: named entities, decimal values, hexadecimal values, and non-breaking spaces.
const cases = [
['Tom & Jerry', 'Tom & Jerry'],
[''quoted'', "'quoted'"],
['<strong>', '<strong>'],
['one two', 'one\u00A0two']
];
for (const [encoded, expected] of cases) {
console.assert(decodeHtmlEntities(encoded) === expected, encoded);
}
A chain of string replacements often misses numeric or Unicode entities. Letting the browser parse the references gives behavior that is closer to HTML itself.
Decode one layer at a time
If the first result still contains text such as &, the source was probably encoded twice. Run the decoder once, inspect the result, and only decode again when another encoded layer is actually present. Repeated decoding without checking can turn intended literal text into markup-like characters.
Decoding is not sanitization
Entity decoding answers one question: which characters do these references represent? It does not decide whether the resulting HTML, attribute value, URL, CSS, or JavaScript is safe. Keep decoded content as text unless it has been validated and sanitized for its final context.
When to encode instead
Encoding goes in the other direction. Use encoding when you want literal markup to appear as text, such as showing <button>Save</button> inside documentation, a blog post, a CMS field, or an example response.
For template debugging, compare the encoded and decoded versions. It often reveals whether escaping happened too early, too late, or more than once.
FAQ
What are HTML entities?
HTML entities are escaped character references used in HTML source. They let text such as less-than signs, ampersands, quotes, and non-breaking spaces appear safely without being interpreted as markup.
How do I decode HTML entities in JavaScript?
In a browser, create a detached textarea, set its innerHTML to the encoded text, and read back its value. This converts named, decimal numeric, and hexadecimal numeric entities into readable text.
Why do I see amp;amp instead of amp?
That usually means the text was encoded more than once. Decode one layer at a time and check whether the result is the text you expected before decoding again.
Does decoding HTML entities sanitize HTML?
No. Entity decoding only converts character references back to text. Treat decoded markup as untrusted and sanitize it for the exact output context before inserting it into a live document.