becomes <script>alert(1)</script> which is safe."}},{"@type":"Question","name":"What is the difference between HTML encoding and URL encoding?","acceptedAnswer":{"@type":"Answer","text":"HTML encoding converts characters for safe inclusion in HTML documents (&, <, etc.). URL encoding converts characters for safe inclusion in URLs (%26, %3C, etc.). They are different standards for different contexts — use the right one for your use case."}},{"@type":"Question","name":"What are the most common HTML entities?","acceptedAnswer":{"@type":"Answer","text":"The five essential HTML entities are: & (ampersand), < (less-than), > (greater-than), " (double quote), and ' (single quote). There are also named entities for special symbols: © (copyright), ® (registered), ™ (trademark), (non-breaking space), — (em dash)."}},{"@type":"Question","name":"Can I use this to sanitize HTML for output?","acceptedAnswer":{"@type":"Answer","text":"Yes, but with caveats. This tool encodes the five essential characters (&, <, >, \", ') which is sufficient for preventing XSS when inserting text into HTML element content. For complex HTML sanitization needs (allowing some tags while blocking others), use a dedicated server-side library like DOMPurify."}}]}

HTML Entity Encoder / Decoder

Encode special characters to HTML entities or decode entities back to text. Switch between Encode and Decode mode with one click.

HTML / Plain text input

Encoded output

Copy

Essential HTML Entities

Character	Entity Name	Entity Number	Description
`&`	`&`	`&`	Ampersand
`<`	`<`	`<`	Less-than sign
`>`	`>`	`>`	Greater-than sign
`"`	`"`	`"`	Double quotation mark
`'`	`'`	`'`	Single quotation mark
	` `	` `	Non-breaking space
`©`	`©`	`©`	Copyright sign
`®`	`®`	`®`	Registered sign
`™`	`™`	`™`	Trademark sign
`—`	`—`	`—`	Em dash

Why HTML Encoding Matters for Security

Unencoded user input in HTML is the primary cause of XSS (Cross-Site Scripting)vulnerabilities. If a user enters <script>alert("hacked")</script> and it is rendered unencoded, the browser executes it as JavaScript. Encoding transforms it to<script>alert("hacked")</script> — safely displayed as text.

Frequently Asked Questions

What are HTML entities?

HTML entities are special codes used to represent characters that have special meaning in HTML or cannot be typed directly. For example, < must be written as < in HTML source to prevent it from being interpreted as the start of a tag. They start with & and end with ;.

Why do I need to encode HTML?

Encoding HTML prevents XSS (Cross-Site Scripting) attacks. If user-provided content is inserted into a web page without encoding, a malicious user could inject HTML or JavaScript. Always encode user input before rendering it in HTML. For example, <script>alert(1)</script> becomes <script>alert(1)</script> which is safe.

What is the difference between HTML encoding and URL encoding?

HTML encoding converts characters for safe inclusion in HTML documents (&, <, etc.). URL encoding converts characters for safe inclusion in URLs (%26, %3C, etc.). They are different standards for different contexts — use the right one for your use case.

What are the most common HTML entities?

The five essential HTML entities are: & (ampersand), < (less-than), > (greater-than), " (double quote), and ' (single quote). There are also named entities for special symbols: © (copyright), ® (registered), ™ (trademark),   (non-breaking space), — (em dash).

Can I use this to sanitize HTML for output?

Yes, but with caveats. This tool encodes the five essential characters (&, <, >, ", ') which is sufficient for preventing XSS when inserting text into HTML element content. For complex HTML sanitization needs (allowing some tags while blocking others), use a dedicated server-side library like DOMPurify.