HTML Entity Encoder / Decoder
Encode special characters into HTML entities (e.g. < → <) or decode HTML entities back to readable text. Supports named, decimal, and hex entities.
Plain Text
HTML Entities
Output will appear here…FAQ
Why encode HTML entities?▼
When inserting user content into HTML, special characters like <, >, and & must be escaped to prevent them from being interpreted as HTML markup or causing XSS vulnerabilities.
What is the difference between named and numeric entities?▼
Named entities use a descriptive name (e.g. &copy;), decimal entities use a decimal code point (e.g. ©), and hex entities use hexadecimal (e.g. ©). All three represent the same character.
Does decoding support all HTML5 entities?▼
This tool decodes the most common named entities. For the complete HTML5 named character references list, refer to the WHATWG specification.
Frequently Asked Questions
Why should I encode HTML entities?
Encoding HTML entities prevents special characters like <, >, and & from being interpreted as HTML markup, which is essential for preventing XSS (Cross-Site Scripting) vulnerabilities.
What is the difference between named and numeric entities?
Named entities use a mnemonic name (e.g. &), decimal entities use a numeric code point (e.g. &), and hexadecimal entities use hex (e.g. &). All are equivalent.
When should I use HTML entity encoding?
Always encode user-generated content before rendering it as HTML. This prevents XSS attacks and ensures special characters display correctly in all browsers.
Why HTML Entities Exist
HTML has five characters that carry structural meaning:<>&"'. If you write one of these characters in content without escaping it, the browser interprets it as part of the HTML structure rather than display text. HTML entities provide an escape mechanism that tells the browser “display this character, do not parse it as markup.”
Entities are also used for characters that are difficult to type (copyright ©, trademark ™, non-breaking space ) or that could cause encoding issues in older systems.
Most Common HTML Entities
| Character | Named entity | Decimal | Hex |
|---|---|---|---|
| < (less than) | < | < | < |
| > (greater than) | > | > | > |
| & (ampersand) | & | & | & |
| " (double quote) | " | " | " |
| ' (single quote) | ' | ' | ' |
| (non-breaking space) | |   |   |
| © (copyright) | © | © | © |
| ® (registered) | ® | ® | ® |
| ™ (trademark) | ™ | ™ | ™ |
| € (euro) | € | € | € |
Entity Encoding & XSS Prevention
Cross-Site Scripting (XSS) is the #3 most common web vulnerability (OWASP Top 10). It occurs when user-controlled text is rendered in an HTML page without escaping, allowing attackers to inject<script>tags or event handlers that steal cookies, redirect users, or deface pages.
The defense is straightforward: always HTML-encode any data you did not write yourself before inserting it into the DOM. Modern frameworks (React, Vue, Angular) do this automatically via JSX / template interpolation. The danger arises when usingdangerouslySetInnerHTML,v-html, or raw innerHTMLwith unescaped user input.