Encode special characters to HTML entities or decode them back — instant, free, private
| Char | Named Entity | Numeric | Hex | Description |
|---|---|---|---|---|
| & | & | & | & | Ampersand |
| < | < | < | < | Less than |
| > | > | > | > | Greater than |
| " | " | " | " | Double quote |
| ' | ' | ' | ' | Apostrophe |
| · | |   |   | Non-breaking space |
| © | © | © | © | Copyright |
| ® | ® | ® | ® | Registered |
| ™ | ™ | ™ | ™ | Trademark |
| € | € | € | € | Euro sign |
| £ | £ | £ | £ | Pound sign |
| ¥ | ¥ | ¥ | ¥ | Yen sign |
| — | — | — | — | Em dash |
| – | – | – | – | En dash |
| … | … | … | … | Ellipsis |
Encoding user input before inserting it into HTML prevents cross-site scripting (XSS) attacks. Characters like <, >, and & that could be interpreted as HTML tags or script injections are safely converted to their entity forms.
Named entities like & are human-readable. Numeric entities like & work for every Unicode character, even those without a named entity. Hex form & is also valid.
HTML entities represent characters that would break HTML markup if inserted literally — or characters that are hard to type on a keyboard. The standard entities <, >, and & are required in all valid HTML documents.
HTML entities are special character sequences used to represent characters that have special meaning in HTML or that cannot be typed directly. They start with & and end with ;. For example, < represents the less-than sign (<), and & represents the ampersand (&).
You should encode HTML whenever displaying user-generated content to prevent XSS (cross-site scripting) attacks. Characters like <, >, and & must be encoded when output in an HTML context. Also encode when embedding HTML in XML, JSON strings, email bodies, or when storing HTML in databases.
Named entities use a word or abbreviation: & for &, < for <. Numeric entities use the character's Unicode code point as a decimal (&) or hexadecimal (&) number. Named entities are more readable; numeric entities work for any Unicode character even when a name doesn't exist.
In JavaScript, encode HTML using a DOM method: const el = document.createElement('div'); el.textContent = userInput; return el.innerHTML; — the browser handles encoding automatically. Alternatively: str.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>'). Use DOMPurify for security-critical sanitization.
The characters that must always be encoded in HTML are: & (ampersand) → &, < (less than) → <, > (greater than) → >. In attribute values, " must be encoded as ". Without encoding, these characters break HTML parsing.
HTML entity decoding converts HTML entity sequences back to their original characters. For example, <script> becomes <script>. Browsers do this automatically when rendering HTML. You may need to decode programmatically when processing HTML strings in templates, APIs, or server-side code.
is the HTML entity for a non-breaking space (Unicode U+00A0). Unlike a regular space, a non-breaking space prevents the browser from inserting a line break at that position. It also is not collapsed like regular spaces. Commonly used to add visible spacing or to prevent text from wrapping at specific points.
If an HTML attribute value is wrapped in double quotes, single quotes do not need encoding. If wrapped in single quotes, single quotes must be encoded as ' or '. When inserting user-supplied values dynamically into attributes — especially in templates — encode both quote types for safety. Use the "Encode quotes too" option above.