HTML Entity Encoder/Decoder
Encode and decode HTML entities. Convert special characters to HTML entities and back. Supports named and numeric entities for XSS prevention.
Characters:
Entity style:
0 characters
Common HTML Entities — Quick Reference
| Character | Named entity | Numeric | Description |
|---|---|---|---|
| & | & | & | Ampersand |
| < | < | < | Less than |
| > | > | > | Greater than |
| " | " | " | Double quote |
| ' | ' | ' | Single quote / apostrophe |
| (non-breaking space) | |   | Non-breaking space |
| © | © | © | Copyright sign |
| ® | ® | ® | Registered sign |
| ™ | ™ | ™ | Trade mark sign |
| € | € | € | Euro sign |
| £ | £ | £ | Pound sign |
| — | — | — | Em dash |
| – | – | – | En dash |
| … | … | … | Ellipsis |
| « | « | « | Left angle quotation |
| » | » | » | Right angle quotation |
Click any row to load the named entity into the input field.
All encoding and decoding runs entirely in your browser. No text is sent to any server.
How to Use HTML Entity Encoder/Decoder
- 1Choose Encode or Decode mode.
- 2Paste your text or HTML entities.
- 3See the converted output instantly.
- 4Copy the result to your clipboard.
Zenovay
Privacy-first analytics for your website
Understand your visitors without invasive tracking. GDPR compliant, lightweight, and powerful.
Related Tools
JSON Formatter & ValidatorFormat, validate, and beautify JSON data with syntax highlighting and error detection.
JWT DecoderDecode and inspect JWT tokens. View header, payload, and verify signatures.
Base64 Encode/DecodeEncode text to Base64 or decode Base64 back to text. Supports UTF-8 and binary data.
URL Encode/DecodeEncode or decode URL components. Handle special characters, query strings, and full URLs.
Frequently Asked Questions
What are HTML entities?▾
HTML entities are special codes used to represent characters that have reserved meaning in HTML or that are difficult to type directly. They begin with an ampersand (&) and end with a semicolon (;). For example, &lt; renders as <, &amp; renders as &, and &copy; renders as ©. Browsers decode entities when rendering HTML, displaying the intended character rather than the raw markup.
When should I use HTML entity encoding?▾
Use HTML entity encoding whenever you output user-supplied or dynamic content into an HTML document. The critical cases are: inserting text into HTML element content (encode <, >, &), inserting into HTML attribute values (encode <, >, &, ", and '), and inserting into URLs within HTML (also percent-encode the URL). Template engines like Jinja2 and frameworks like React auto-escape by default — only use raw HTML output when you are certain the content is safe.
What is the difference between named and numeric HTML entities?▾
Named entities use a human-readable keyword: &amp; (ampersand), &lt; (less-than), &copy; (copyright ©). Numeric entities reference the Unicode code point in decimal (&#169;) or hexadecimal (&#xA9;) notation. Named entities only exist for a defined subset of characters; numeric references work for any Unicode character. All three forms are equivalent — &copy; = &#169; = &#xA9; = ©. Modern UTF-8 HTML5 pages can include most Unicode characters directly without encoding.
Which HTML characters must always be encoded?▾
The five characters that are always significant in HTML and must be encoded are: & (ampersand → &amp;), < (less-than → &lt;), > (greater-than → &gt;), " (double quote → &quot; in attribute values), and ' (single quote → &apos; or &#39; in single-quoted attribute values). The ampersand must be encoded first when encoding a string, otherwise your own entity markers get double-encoded. All other characters are optional to encode in UTF-8 documents.
Does HTML entity encoding prevent XSS attacks?▾
HTML entity encoding is one layer of XSS (cross-site scripting) prevention, but it must be applied in the right context. Encoding &, <, >, ", and ' stops a browser from interpreting injected text as HTML markup or JavaScript — a <script> tag injected by a user becomes &lt;script&gt; and is rendered as text, not executed. However, context matters: text inside a <script> block needs JavaScript escaping, not HTML encoding. URL attributes need URL encoding. CSS values need CSS escaping. Always use a context-aware escaping library, and never rely on a single method alone.