HTML Entity Encoder & Decoder

Encode and decode HTML entities instantly. Prevents XSS attacks.

Last updated: April 2026
Input
Output

What are HTML Entities?

HTML entities are special codes that represent characters which have meaning in HTML syntax or cannot be typed directly. For example, < represents the less-than sign (<), which browsers would otherwise interpret as the start of an HTML tag.

Why Encode HTML Entities?

Encoding prevents XSS (Cross-Site Scripting) attacks by ensuring user-supplied text is displayed as text, not executed as HTML or JavaScript. It also allows you to display reserved characters like angle brackets, ampersands, and quotation marks safely on web pages.

Named vs Numeric Entities

Named entities like &copy; (©) and &euro; (€) are human-readable. Numeric entities like &#169; use character codes and support any Unicode character. This tool encodes 30+ common named entities including copyright, trademark, currency symbols, arrows, and mathematical operators.

Related Tools

URL EncoderBase64JSON FormatterMarkdown Preview

Frequently Asked Questions

Why do I need to encode HTML entities?

HTML entities prevent two critical problems: XSS (Cross-Site Scripting) attacks where malicious code is injected through user input, and rendering errors where characters like < and > are interpreted as HTML tags instead of displayed as text. Any user-supplied content displayed on a web page should be entity-encoded first.

What is the difference between named and numeric entities?

Named entities use human-readable codes like &copy; for © and &euro; for €. Numeric entities use character codes like &#169; for ©. Named entities are easier to read in source code but only cover about 250 common characters. Numeric entities can represent any Unicode character. This tool supports 30+ named entities.

Does this tool protect against XSS attacks?

Yes. By converting characters like < > " and & into their entity equivalents, the encoded output cannot be executed as HTML or JavaScript. This is the first line of defense against XSS. However, proper security requires server-side encoding as well — never rely solely on client-side encoding for security-critical applications.

Which characters must always be encoded?

Five characters must always be encoded in HTML: ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote ('). Beyond these, encoding special characters like © ® ™ € improves cross-browser compatibility and prevents rendering issues with different character encodings.