HTML Entity Encoder

Encode or decode HTML entities and special characters.

HTML Entity Encoder β€” What It Does

Paste any text or HTML into the encoder to convert special characters to their HTML entity equivalents, or paste encoded HTML to decode entities back to their literal characters. Essential for safely displaying user-generated content, debugging template output, preparing text for HTML attributes, and preventing XSS vulnerabilities.

Most Common HTML Entities

  • & β€” & ampersand
  • &lt; β€” < less-than sign
  • &gt; β€” > greater-than sign
  • &quot; β€” " double quotation mark
  • &apos; β€” ' apostrophe (HTML5)
  • &nbsp; β€” non-breaking space
  • &copy; β€” Β© copyright symbol
  • &mdash; β€” β€” em dash

Encoding in Different Languages

  • JavaScript β€” element.textContent = str auto-encodes; avoid innerHTML with untrusted input
  • Python β€” html.escape(str) encodes < > & " '
  • PHP β€” htmlspecialchars($str, ENT_QUOTES)
  • Java β€” StringEscapeUtils.escapeHtml4(str) (Apache Commons)

Security Note β€” XSS Prevention

Never insert user-supplied content into HTML without encoding it first. Even "safe-looking" input like a username can contain <script> tags or event handler attributes. Always encode on output (not just on input), use your framework's built-in escaping, and treat the innerHTML property as a last resort.

Frequently Asked Questions

What are HTML entities and why are they needed?
HTML entities are text codes that represent characters with special meaning in HTML markup, such as < > & " and '. Because these characters are used in HTML syntax itself, displaying them as literal text requires escaping them as &lt; &gt; &amp; &quot; and &apos;. Without encoding, the browser may interpret them as HTML tags or attributes.
What is the difference between named and numeric HTML entities?
Named entities use a descriptive keyword: &amp; for &, &lt; for <, &copy; for Β©. Numeric entities use the Unicode code point in decimal (&amp;#38;) or hexadecimal (&amp;#x26;). Named entities are easier to read; numeric entities work for any Unicode character even if no named entity exists.
When should I encode vs escape user input?
Always HTML-encode any user-supplied content before inserting it into HTML to prevent Cross-Site Scripting (XSS) attacks. In server-side templating (React JSX, Django templates, Thymeleaf), auto-escaping is usually on by default. Be especially careful with innerHTML assignments, dangerouslySetInnerHTML in React, and any raw string concatenation into HTML.
What is the difference between HTML encoding and URL encoding?
HTML encoding (entities) makes text safe to display inside HTML documents β€” it escapes characters that have special meaning in HTML markup. URL encoding (percent-encoding) makes text safe for use in URLs by replacing spaces and special characters with %XX sequences. They serve different purposes and must not be confused or substituted for each other.
Do I need to encode characters inside a CDATA section?
In XML and XHTML, content inside a CDATA section (<![CDATA[...]]>) is treated as literal text and does not require entity encoding. However, in standard HTML5 (which is not XML), CDATA sections are not recognized β€” entity encoding is still required for < > and & in regular text content and attribute values.