HTML Entity Encoder
Input
Output
Common HTML Entities
| Character | Named Entity | Numeric Entity | Description |
|---|---|---|---|
| < | < | < | Less than |
| > | > | > | Greater than |
| & | & | & | Ampersand |
| " | " | " | Double quote |
| ' | ' | ' | Apostrophe |
|   | Non-breaking space | |
| © | © | © | Copyright |
| ® | ® | ® | Registered |
| ™ | ™ | ™ | Trademark |
| € | € | € | Euro sign |
| £ | £ | £ | Pound sign |
| ¥ | ¥ | ¥ | Yen sign |
About HTML Encoding
Why Encode HTML?
HTML encoding prevents special characters from being interpreted as HTML code. This is essential for security (preventing XSS attacks) and displaying code snippets correctly.
Must-Encode Characters
<and>- Tag delimiters&- Entity start character"and'- In attributes
Security Note
Always encode user-generated content before displaying it in HTML to prevent Cross-Site Scripting (XSS) attacks.
How to Use This Tool
- Enter Your Content: Paste HTML code, text with special characters, or entity-encoded text into the input field. The tool processes all standard HTML entities including named (&) and numeric (&) formats.
- Choose Encoding Options: Enable "Encode all characters" for maximum encoding (rarely needed), or "Use numeric entities" if you need < format instead of < for compatibility with non-HTML XML contexts.
- Click Encode or Decode: Use "Encode" to convert special characters to safe HTML entities, or "Decode" to restore original characters from entity-encoded text.
- Copy and Use: Click "Copy" to copy the result. Encoded output is safe for embedding in HTML documents without breaking the document structure or enabling XSS attacks.
Technical Details
HTML entities represent characters that have special meaning in HTML or aren't available on standard keyboards. The five essential entities are: < (<), > (>), & (&), " ("), and ' ('). Named entities use mnemonic references (© for ©), while numeric entities use decimal (©) or hexadecimal (©) Unicode code points.
HTML5 defines over 2,000 named character references. For security, always encode user-supplied content before inserting it into HTML—this prevents XSS (Cross-Site Scripting) attacks by neutralizing injected script tags and event handlers. Context matters: content in HTML text nodes needs different escaping than content in HTML attributes or JavaScript strings. This tool handles the most common case: HTML text content escaping.
Common Mistakes to Avoid
- Only Escaping < and >: Minimal encoding misses attack vectors. In HTML attributes, quotes must be escaped. Ampersands always need escaping to prevent entity injection. Use a complete encoding function, not manual character replacement.
- Double Encoding: Encoding already-encoded text produces mangled output. & becomes &amp;. Always decode before re-encoding if the input might already contain entities.
- Trusting Encoding Alone for Security: HTML encoding prevents XSS in HTML contexts, but JavaScript contexts, CSS contexts, and URL contexts each require different escaping. Use context-appropriate encoding—HTML entities in JavaScript code won't prevent injection.
Related Tools
Need to encode special characters for URLs instead of HTML? Use our URL Encoder & Decoder. For validating and formatting HTML documents, try the HTML/CSS/JS Minifier.
Frequently Asked Questions
What characters must be encoded in HTML?
At minimum, encode < > & and " (in attributes). The < and > prevent tag injection, & prevents entity injection, and quotes prevent attribute breakout in quoted attributes. For maximum safety, also encode ' and non-ASCII characters.
When should I use numeric entities instead of named entities?
Use numeric entities for XML contexts (including XHTML) where named entities beyond the basic five aren't predefined, or when embedding content in systems that might not recognize named entities. Numeric entities work universally.
Does HTML encoding prevent all XSS attacks?
HTML encoding prevents XSS in HTML text contexts. However, JavaScript, CSS, and URL contexts require different encoding. If you're inserting user data into onclick handlers, style attributes, or href attributes, you need context-specific escaping beyond HTML entities.