HTML Entity Encoder & Decoder
Convert special characters to HTML entities and back. Encode &, <, >, ", ' and other symbols to prevent XSS attacks and ensure text renders correctly in HTML.
Quick Reference
| Character | Entity Name | Numeric Code |
|---|---|---|
| & | & | & |
| < | < | < |
| > | > | > |
| " | " | " |
| ' | ' | ' |
| (non-breaking space) | |   |
Frequently Asked Questions
What are HTML entities and why are they needed?
HTML entities are codes that represent characters which have special meaning in HTML, or characters that aren't on a standard keyboard. The less-than sign (<) starts an HTML tag, so writing it directly in content would break the page structure. Writing < instead tells the browser to display a < symbol safely. Entities also ensure consistent rendering of quotation marks, apostrophes, ampersands, and non-ASCII characters across all browsers.
How does encoding prevent XSS attacks?
Cross-site scripting (XSS) attacks inject malicious scripts into web pages through user input. If a user submits <script>alert('hacked')</script> into a comment field, an unprotected site would execute it. Encoding converts the < to < and > to >, turning the script tag into harmless displayable text that browsers render as characters rather than code. Always encode user-supplied content before inserting it into HTML output.
When should I use numeric codes vs named entities?
Named entities like & and < are easier to read and widely supported. Numeric codes like & and < work in any HTML version and for characters with no named entity. For common characters (&, <, >, ", '), use named entities — they're more readable in source code. For uncommon symbols, accented letters, or mathematical characters, numeric codes are often the safer choice since not all parsers recognize every named entity.