What Are HTML Entities?
HTML entities are special sequences of characters used to represent reserved characters and symbols in HTML. Because characters like <, >, and & have special meaning in HTML markup, they must be encoded as entities (<, >, &) to be displayed as literal text in a web page.
Each entity begins with an ampersand (&) and ends with a semicolon (;). Between them is either a named reference (like amp), a decimal number preceded by #, or a hexadecimal number preceded by #x.
Why HTML Encoding Matters: XSS Prevention
One of the most important reasons to encode HTML entities is to prevent Cross-Site Scripting (XSS) attacks. XSS occurs when an attacker injects malicious scripts into web pages viewed by other users. If user-supplied input is rendered as raw HTML without encoding, an attacker could insert <script> tags or event handlers that execute arbitrary JavaScript.
By encoding characters like < and > to their entity equivalents before rendering, browsers treat them as display text rather than HTML markup. This is a fundamental security practice for any web application that displays user-generated content.
Named vs Numeric Entities
HTML supports three formats for encoding entities. Each produces the same visual result but uses different syntax:
| Format | Syntax | Example | Pros |
|---|---|---|---|
| Named | &name; | & | Human-readable, easy to remember |
| Decimal | &#number; | & | Works for any Unicode character |
| Hexadecimal | &#xHEX; | & | Matches Unicode code points directly |
Named entities are the most readable but only cover a limited set of characters. Numeric entities (decimal or hexadecimal) can represent any Unicode character, making them more versatile for internationalization and special symbols.
Common Use Cases
Displaying Code Snippets
Show HTML or XML source code on a web page without browsers interpreting the tags as markup.
XSS Prevention
Sanitize user input before rendering it in HTML to prevent injection of malicious scripts.
Email Templates
Encode special characters in HTML emails to ensure consistent rendering across email clients.
CMS & Blog Content
Safely embed special characters, symbols, and typographic marks in content management systems.
Internationalization
Represent characters from non-Latin scripts when the document encoding might not support them directly.
XML & RSS Feeds
Encode reserved XML characters in feed content to produce valid, well-formed XML documents.
Frequently Asked Questions
Named entities use a human-readable name (like & for the ampersand), while numeric entities use the character's Unicode code point in either decimal (&) or hexadecimal (&) form. Named entities are easier to read but only exist for a subset of characters. Numeric entities can represent any Unicode character.
HTML uses certain characters as part of its syntax (like < and > for tags, & for entities). If you want to display these characters as text on a web page, you must encode them as entities. Failing to do so can cause broken layouts, invalid HTML, or security vulnerabilities like Cross-Site Scripting (XSS).
Cross-Site Scripting (XSS) is a security vulnerability where attackers inject malicious scripts into web pages. HTML encoding converts characters like < and > into their entity equivalents (< and >), so browsers display them as text rather than interpreting them as HTML tags. This prevents injected script tags from executing.
Yes. This tool runs entirely in your browser using client-side JavaScript. Your text is never uploaded, transmitted, or stored on any server. You can verify this by using the tool with your network tab open — no requests are made.
Yes. Enable the 'Non-ASCII' checkbox in encode mode to convert any character with a code point above 127 into its numeric HTML entity. This is useful when your document encoding might not support certain characters directly.
Named entities (&, <, etc.) are the most readable and are recommended for common characters. Decimal entities (&) have the widest browser support. Hexadecimal entities (&) match Unicode code points directly and are preferred when working with Unicode character tables. All three are valid in HTML5.
This tool supports the most commonly used named entities including &, <, >, ", ', , ©, ®, ™, €, £, ¥, ♥, and more. For characters without a named entity, use decimal or hexadecimal numeric encoding.
HTML encoding converts characters to HTML entity references (like & for &) for safe display in HTML documents. URL encoding (percent-encoding) converts characters to percent-encoded sequences (like %26 for &) for safe transmission in URLs. They serve different purposes and use different syntax.