HTML Entity Encoder / Decoder
Encode HTML special characters to entities or decode entities.
Common HTML entities reference
| Char | Entity | Char | Entity |
|---|---|---|---|
| & | & | < | < |
| > | > | " | " |
| ' | ' | | |
| © | © | ® | ® |
| ™ | ™ | € | € |
| £ | £ | ¥ | ¥ |
| ¢ | ¢ | § | § |
| ° | ° | ± | ± |
| × | × | ÷ | ÷ |
| ¼ | ¼ | ½ | ½ |
| ¾ | ¾ | – | – |
| — | — | ‘ | ‘ |
| ’ | ’ | “ | “ |
| ” | ” | • | • |
| … | … | ← | ← |
| → | → | ↑ | ↑ |
| ↓ | ↓ | ↔ | ↔ |
| ♠ | ♠ | ♣ | ♣ |
| ♥ | ♥ | ♦ | ♦ |
The 5 essential HTML characters to always encode
Any text that will be rendered as HTML content must have these five characters escaped to prevent parsing issues and XSS attacks:
&(ampersand) →&<(less than) →<>(greater than) →>"(double quote) →"'(single quote) →'
Three encoding modes explained
- Minimal: Only encodes the 5 HTML-special characters above. Use when rendering user content in HTML to prevent XSS.
- Named entities: Converts named characters (©, ®, €, →, etc.) to their HTML entity equivalents. Useful for typographically correct HTML.
- Numeric:Encodes all non-ASCII characters as decimal character references (&#xx;). Use when targeting strict ASCII-only HTML documents.
Decoding HTML entities
Switch to Decode mode to convert HTML entities back to readable characters. Useful for reading HTML source code, inspecting encoded email bodies, or processing HTML-encoded data from APIs.
Common use cases
Backend developers use the encoder to sanitise user-submitted form data before writing it into an HTML template, preventing XSS vulnerabilities. Content teams paste blog drafts to encode special characters like em dashes and copyright symbols into named entities before publishing. Front-end engineers use Decode mode to read API responses that return HTML-escaped strings, and email developers encode content to guarantee correct rendering across mail clients that handle encoding inconsistently.
Server-side vs client-side encoding
HTML encoding is a server-side responsibility when rendering user-supplied data into HTML templates. Templating engines like Jinja2, Blade, Handlebars, and React's JSX automatically escape output by default — this is one of their core security features. The danger zone is when developers bypass escaping by usingdangerouslySetInnerHTML, v-html, or | safe filters to render HTML intentionally. Any time raw HTML output is enabled, the input must be carefully sanitised using a library like DOMPurify to strip potentially malicious tags and attributes before rendering.
Frequently asked questions
- What are HTML entities?
- HTML entities are special codes used to represent characters that either have special meaning in HTML or cannot be typed easily. They start with an ampersand (&) and end with a semicolon (;). For example, < represents < (which would otherwise start an HTML tag) and & represents & (which would otherwise start an entity).
- When do I need to encode HTML characters?
- Encode HTML characters when: (1) displaying user-submitted content in HTML to prevent XSS (Cross-Site Scripting) attacks — any < > & " ' must be encoded, (2) including special symbols like copyright ©, registered ®, or currency signs in HTML, (3) placing HTML code examples inside a web page for display.
- What is the difference between named and numeric entities?
- Named entities use a descriptive name: < for <, © for ©. Numeric entities use the character's decimal (<) or hex (<) Unicode code point. Named entities are more readable; numeric entities work for any character, even those without a named equivalent. All browsers support both.
- What is XSS and how does encoding prevent it?
- Cross-Site Scripting (XSS) is an attack where malicious JavaScript is injected into a web page via unescaped user input. If a user submits <script>alert(1)</script> and it is rendered , the script executes. Encoding the < and > as < and > makes the browser display the text literally instead of executing it .
- What is the minimal encoding level?
- Minimal encoding only escapes the 5 characters with special meaning in HTML: & (→ &), < (→ <), > (→ >), " (→ "), and ' (→ '). This is the minimum required to safely embed text in HTML and prevent XSS. Use this level when you need to display user input in an HTML page.
Related tools
- JSON Formatter, Validator & Repair Tool
Format, minify, validate, and repair JSON instantly in your browser. Sort keys alphabetically, auto-format on paste, download as file, escape/unescape strings — free, no sign-up, 100% client-side.
- QR Code Generator
Generate QR codes for URLs, text, Wi-Fi, and more. Download as PNG.
- Password Generator
Generate strong, random passwords with custom length and character sets.
- Base64 Encoder / Decoder
Encode text to Base64 or decode Base64 back to plain text.
- URL Encoder / Decoder
Encode or decode URLs and query strings with percent-encoding.