XML Decoder

Convert escaped XML entities like <, >, &, ", ' back to their original characters. Ideal for cleaning XML logs, API responses, and escaped database fields.

Quick samples:
? Basic XML snippet
?️ Attributes with quotes
? Mixed numeric entities
? Escaped log entry
Privacy first: All decoding is done locally in your browser. No data is ever uploaded to any server. Works offline after page load.

What does an XML decoder do?

XML defines five predefined entities to represent characters that have special meaning in markup. When you see text like &lt;message&gt;, it is an escaped representation of the original <message>. Decoding (or unescaping) reverses this process, turning the entity references back into the actual characters so that the XML becomes human‑readable and processable.

Entities decoded by this tool
Entity Decodes to Description
&lt; < Less‑than sign
&gt; > Greater‑than sign
&amp; & Ampersand
&quot; " Double quote
&apos; ' Apostrophe / single quote

Numeric entities (e.g., &#169;) and other custom entities are not decoded by this tool — only the five standard XML entities, as defined in W3C XML 1.0 §4.6.

Common use cases for XML decoding

  • Reading escaped XML logs: Many systems escape XML before writing logs to avoid corruption. Decoding restores readability.
  • API response handling: Some REST APIs return XML inside JSON strings with entities escaped. Decode before parsing.
  • Database cleanup: Legacy databases may store escaped XML; decoding helps migrate or display content.
  • Security testing: Analyze potentially malicious payloads by unescaping encoded injection attempts.
Real‑world example: Decoding SOAP fault messages

A SOAP web service returns faults with escaped XML inside the <faultstring> element. For example: &lt;error&gt;Invalid token &amp; request ID&lt;/error&gt;. Using this decoder, developers can quickly see the actual error: <error>Invalid token & request ID</error>. This accelerates debugging without manual replacement.

How decoding works (algorithm)

The decoder scans the input string and replaces each known entity with its corresponding character. The order of replacement is important: ampersand (&amp;) is replaced last to avoid interfering with other entities (e.g., &lt; contains an ampersand). The algorithm follows:

  1. Replace &lt;<
  2. Replace &gt;>
  3. Replace &quot;"
  4. Replace &apos;'
  5. Replace &amp;&

This ensures that even nested or double‑encoded entities are correctly resolved. All replacements are performed using JavaScript’s global string replace, which is efficient for text up to several megabytes. No external libraries are required.

Performance note: For typical XML fragments under 500 KB, decoding completes in under 20 ms. Larger texts (up to 10 MB) may take a few seconds but remain fully functional within the browser’s main thread.

Step‑by‑step usage

  1. Copy or type your escaped XML text into the Encoded XML text box.
  2. Click Decode / Unescape — the decoded version appears instantly.
  3. Use the Copy result button to copy the output to your clipboard.
  4. Try the sample buttons to see decoding in action.

When NOT to use this decoder

Situation Recommendation
Your text contains numeric entities like &#x3C; Use a full XML parser or a tool that supports numeric entity expansion. This decoder leaves them unchanged.
You have custom DTD entities Only the five predefined entities are supported. Custom entities require a full XML processor.
The text is already plain (no & followed by known entity names) Decoding will have no effect — output will be identical to input.

Example transformation:
Input (escaped): &lt;root&gt;Value &amp; 5 &lt; 10&lt;/root&gt;
Output (decoded): <root>Value & 5 < 10</root>

Frequently Asked Questions

No special handling. If a CDATA marker (&lt;![CDATA[ ... ]]&gt;) is escaped, the decoder will unescape the brackets and exclamation marks, restoring the CDATA declaration. However, the content inside CDATA is not parsed further; if it contains entities, they will be decoded as usual because the decoder works on the entire string. This is intentional and matches generic text decoding.

One click will decode one layer. For example, &amp;lt;&lt;. Click Decode again to turn &lt; into <. This allows you to progressively unescape deeply encoded content.

Yes. No data leaves your browser. You can even disconnect from the internet after the page loads. The tool runs entirely in JavaScript on your local machine.

No. Only the five named entities are decoded. Numeric character references (decimal or hex) are left untouched. This is by design to avoid confusion with numeric data and to stay strictly within the scope of predefined XML entities.

This is a client‑side web tool, not an API. However, you can inspect the JavaScript code (open browser developer tools) and reuse the decodeXML() function in your own projects freely — there are no restrictions.

Standards‑compliant utility – Built according to the XML 1.0 specification (W3C Recommendation). The decoding logic matches the behavior of standard XML parsers like libxml2, Xerces, and popular programming languages’ built‑in unescape methods. No external dependencies, no tracking. Source code is fully visible and verifiable.

References: W3C XML 1.0 (Fifth Edition) | OWASP XML Security Cheat Sheet | MDN: DOMParser (for full XML parsing)