and you insert that directly into HTML without encoding, it will execute as JavaScript โ€” a classic XSS attack. Encoding turns it into <script>alert("xss")</script> which displays safely as text."}},{"@type":"Question","name":"What is the difference between named and numeric HTML entities?","acceptedAnswer":{"@type":"Answer","text":"Named entities use a short descriptive name like & or ©. Numeric entities use the Unicode code point as either a decimal number (&#38;) or a hex number (&#x26;). All three represent the same character. Named entities are more readable; numeric entities work for any Unicode character even if no named form exists."}},{"@type":"Question","name":"Does modern HTML5 require HTML entity encoding?","acceptedAnswer":{"@type":"Answer","text":"HTML5 documents served with UTF-8 encoding can include most Unicode characters directly without entity encoding โ€” the browser can render them natively. However, you still MUST encode the four characters that have structural meaning in HTML: & (&amp;), < (&lt;), > (&gt;), and \" (&quot;) inside attribute values. Failing to encode these causes broken markup."}},{"@type":"Question","name":"What is &nbsp;?","acceptedAnswer":{"@type":"Answer","text":"&nbsp; is the non-breaking space entity. It inserts a space character that browsers will not collapse into nothing (as they do with multiple regular spaces) and will not break across at a line wrap. It's commonly used in table cells, button text, or anywhere you need a guaranteed visible space that won't be trimmed."}}]}
Developer

HTML Entities Encoder / Decoder

Encode and decode HTML entities instantly

Common HTML entities referenceโ–พ
CharacterNamed entityNumeric
&&amp;&#38;
<&lt;&#60;
>&gt;&#62;
"&quot;&#34;
'&apos;&#39;
ยฉ&copy;&#169;
ยฎ&reg;&#174;
โ„ข&trade;&#8482;
โ‚ฌ&euro;&#8364;
ยฃ&pound;&#163;
โ€”&mdash;&#8212;
โ€ฆ&hellip;&#8230;
ยฐ&deg;&#176;
ร—&times;&#215;
รท&divide;&#247;

HTML Entities Encoder & Decoder

This tool converts special characters to their HTML entity equivalents (encoding), and converts HTML entities back to their original characters (decoding). It supports named entities (&amp;, &lt;, &copy;, etc.) as well as decimal (&#169;) and hexadecimal (&#xA9;) numeric entities.

Why HTML Entity Encoding Matters for Security

Proper HTML encoding is one of the most important defenses against Cross-Site Scripting (XSS) โ€” the #1 web vulnerability category in the OWASP Top 10. When user-supplied text is inserted into an HTML page without escaping, an attacker can inject HTML tags or JavaScript that the browser executes. Encoding every instance of <, >, &, ", and ' prevents this.

Essential Entities

  • &amp; โ†’ & (ampersand โ€” always encode in HTML)
  • &lt; โ†’ < (less-than / open tag)
  • &gt; โ†’ > (greater-than / close tag)
  • &quot; โ†’ " (double quote โ€” encode inside attributes)
  • &apos; โ†’ ' (single quote โ€” encode inside single-quoted attributes)
  • &nbsp; โ†’ non-breaking space

Numeric HTML Entities

Any Unicode character can be referenced by its decimal code point: &#NNN; โ€” for example, &#169; renders as ยฉ. The hex form is &#xHHH; โ€” for example, &#xA9; is also ยฉ. This is useful for characters that have no standard named entity or for embedding emoji in legacy HTML.

HTML Entities vs. JavaScript String Escaping

HTML entity encoding is specifically for characters inside HTML documents. It is different from JavaScript string escaping (backslash sequences like \n, \u0041) and from URL percent-encoding (%20). Use each encoding in the right context: HTML encoding for HTML output, URL encoding for query strings and paths, and JS escaping for JSON or inline script strings.

Frequently Asked Questions

What are HTML entities?
HTML entities are special codes used to represent characters that have a reserved meaning in HTML, or characters that are difficult to type. They always start with & and end with ;. For example, &amp; represents &, &lt; represents <, and &gt; represents >. They can also represent any Unicode character using numeric codes like &#169; (ยฉ) or &#x2764; (โค).
When should I encode HTML entities?
You should encode HTML entities any time you inject user-provided text or dynamic data into HTML markup. If a user types <script>alert("xss")</script> and you insert that directly into HTML without encoding, it will execute as JavaScript โ€” a classic XSS attack. Encoding turns it into &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt; which displays safely as text.
What is the difference between named and numeric HTML entities?
Named entities use a short descriptive name like &amp; or &copy;. Numeric entities use the Unicode code point as either a decimal number (&amp;#38;) or a hex number (&amp;#x26;). All three represent the same character. Named entities are more readable; numeric entities work for any Unicode character even if no named form exists.
Does modern HTML5 require HTML entity encoding?
HTML5 documents served with UTF-8 encoding can include most Unicode characters directly without entity encoding โ€” the browser can render them natively. However, you still MUST encode the four characters that have structural meaning in HTML: & (&amp;amp;), < (&amp;lt;), > (&amp;gt;), and " (&amp;quot;) inside attribute values. Failing to encode these causes broken markup.
What is &amp;nbsp;?
&amp;nbsp; is the non-breaking space entity. It inserts a space character that browsers will not collapse into nothing (as they do with multiple regular spaces) and will not break across at a line wrap. It's commonly used in table cells, button text, or anywhere you need a guaranteed visible space that won't be trimmed.

Related Tools

URL Encoder / Decoder
Encode or decode URL components and query strings instantly
Base64 Encoder / Decoder
Encode and decode Base64 strings instantly