HTML Entity Encode & Decode

📝 Input

📤 Output

What Are HTML Entities?

HTML entities are special codes used to represent characters that have reserved meaning in HTML or that cannot be easily typed on a keyboard. When a browser encounters an HTML entity, it renders the corresponding character on screen. For example, the less-than sign (<) is written as < in HTML source code because the raw < character would be interpreted as the start of an HTML tag.

There are two forms of HTML entities: named entities (like & for &, © for ©) and numeric entities (like < for < or < using hexadecimal). Named entities are easier to read in source code, while numeric entities can represent any Unicode character.

Why HTML Encoding Matters for Security

Proper HTML encoding is one of the most critical defenses against Cross-Site Scripting (XSS) attacks. When user-generated content is displayed on a web page without encoding, an attacker can inject malicious JavaScript code through form inputs, URL parameters, or other user-controllable data. By encoding all output that originates from user input — converting characters like <, >, &, ", and ' to their HTML entity equivalents — you ensure that the browser treats the content as text rather than executable code.

Common HTML Entities Reference

The five most important characters to encode are: & (ampersand) → &, < (less than) → <, > (greater than) → >, " (double quote) → ", and ' (single quote) → '. These five characters are sufficient to prevent most HTML injection attacks when applied to content placed within HTML elements and attributes.

Frequently Asked Questions

When should I use HTML entity encoding?

You should encode any user-supplied or dynamic content before inserting it into HTML pages. This includes form inputs, database content, URL parameters, and data from external APIs. Most modern web frameworks perform this encoding automatically, but manual encoding is essential when building raw HTML strings.

Is HTML encoding the same as URL encoding?

No. HTML encoding converts characters to HTML entities (like <) for safe display in web pages. URL encoding converts characters to percent-encoded format (like %3C) for safe inclusion in URLs. Each serves a different context and uses a different format.

Does this tool encode all characters or just special ones?

This tool encodes the five critical HTML special characters (&, <, >, ", ') that are necessary for XSS prevention. Regular letters, numbers, and common punctuation are left as-is since they do not have special meaning in HTML.

Can HTML entities represent emoji and special symbols?

Yes. Any Unicode character can be represented using numeric HTML entities. For example, the heart emoji (❤) can be written as ❤ or ❤. Named entities exist for many common symbols like © (©), ® (®), and € (€).