HTML Entity Encoder/Decoder - Encode HTML Special Characters
HTML entities are special sequences of characters that represent reserved or special characters in HTML markup. They allow you to include characters in your HTML content that would otherwise be interpreted as part of the HTML syntax. For example, the less-than sign (<) starts an HTML tag, so to display an actual less-than sign in your content, you must use the entity < instead. Our HTML Entity Encoder/Decoder provides instant bidirectional conversion between plain text and HTML entity notation, making it easy to safely embed any character in your HTML documents.
HTML entities come in two forms: named entities (like & for &, < for <, and " for ") and numeric entities (like < for < or < for the same character in hexadecimal). Named entities are more readable and memorable, while numeric entities can represent any Unicode character, including those without a named entity. Our encoder uses the most common named entities for the five reserved characters and provides their numeric equivalents when needed.
The five characters that must always be encoded in HTML content are: the ampersand (&), which starts every entity reference; the less-than sign (<) and greater-than sign (>), which delimit HTML tags; and the double quote (") and single quote ('), which delimit attribute values. Failing to encode any of these characters can break your HTML markup, cause rendering errors, or create security vulnerabilities.
Why Encoding Matters
HTML entity encoding is not just a technical detail — it is essential for correct rendering, data integrity, and security. Without proper encoding, your HTML may be malformed, your content may be misinterpreted, and your application may be vulnerable to cross-site scripting attacks. Understanding when and why to encode is a fundamental skill for web developers.
Reasons to encode HTML entities:
- Correct rendering: Without encoding, characters like < and > are interpreted as HTML tags rather than displayed as text. If your content includes the text "5 < 10", the browser will try to parse "< 10" as an HTML tag, resulting in broken markup and incorrect display.
- Attribute safety: When including user-generated content in HTML attributes (like title, value, or placeholder), unencoded quotes can terminate the attribute value prematurely, breaking the HTML structure and potentially allowing attribute injection.
- XSS prevention: Cross-Site Scripting (XSS) attacks work by injecting malicious scripts into web pages. Encoding user input before rendering it in HTML neutralizes script injection by converting special characters like < and > into their entity equivalents, which are displayed as text rather than executed as markup.
- Email templates: HTML emails require careful entity encoding because email clients have varying levels of HTML support. Special characters in email templates should always be encoded to ensure consistent rendering across different email clients.
- Code documentation: When writing about HTML in blog posts, documentation, or tutorials, you need to display HTML code as text rather than have it rendered. Entity encoding allows you to show <div> tags, & characters, and other HTML syntax as readable text.
Common HTML Entities Reference
While there are hundreds of named HTML entities defined in the HTML specification, a small set covers the vast majority of everyday needs. This reference table shows the most commonly used entities, their named and numeric forms, and when to use each one.
Essential HTML entities:
& → &
Ampersand (entity start character)
< → <
Less-than (tag start character)
> → >
Greater-than (tag end character)
" → "
Double quote (attribute delimiter)
' → '
Single quote (attribute delimiter)
→ space
Non-breaking space
© → ©
Copyright symbol
® → ®
Registered trademark
— → —
Em dash
For any character that does not have a named entity, you can use numeric entities. Decimal numeric entities use the format &#NNN; where NNN is the decimal Unicode code point (e.g., € for the Euro sign €). Hexadecimal numeric entities use the format &#xHHH; where HHH is the hexadecimal code point (e.g., € for the same Euro sign). Numeric entities work for all Unicode characters, making them a universal fallback for any character you need to represent.
Security and HTML Encoding
HTML entity encoding is a critical component of web application security, particularly in the prevention of Cross-Site Scripting (XSS) attacks. XSS is one of the most common web vulnerabilities, and proper output encoding is the primary defense against it. Understanding how encoding fits into your security strategy helps you build more robust applications.
How Encoding Prevents XSS
- • Converts < and > to harmless entity equivalents
- • Prevents injected scripts from being parsed as HTML
- • Neutralizes attribute-breaking quote characters
- • Makes JavaScript code in HTML appear as plain text
- • Works as defense-in-depth alongside other security measures
Security Best Practices
- • Encode on output, not on input (preserve original data)
- • Use context-appropriate encoding (HTML, JS, CSS, URL)
- • Use established libraries rather than manual encoding
- • Combine with Content Security Policy headers
- • Never rely on encoding alone — validate input too
Our HTML Entity Encoder handles the five critical characters that must be encoded in HTML content: &, <, >, ", and '. The encoder uses named entities where available (&, <, >, ") and numeric entities for characters without names (' for the single quote). The decoder reverses the process, converting any HTML entity back to its character representation. All processing happens locally in your browser, ensuring your data remains private. This tool is perfect for preparing content for HTML documents, debugging rendering issues, and verifying that your encoding is correct before deploying to production.