HTML Entities Explained: When and How to Encode Special Characters

What Are HTML Entities?

HTML entities are special codes used to represent characters that have reserved meaning in HTML or that cannot be easily typed on a keyboard. Each entity starts with an ampersand (&) and ends with a semicolon (;).

For example, the less-than sign < is written as < in HTML. Without this encoding, the browser would interpret it as the start of an HTML tag, potentially breaking the page layout or introducing security vulnerabilities.

Encode and decode HTML entities instantly with our HTML Entity Encoder.

Why HTML Entities Matter

Preventing XSS Attacks

Cross-site scripting (XSS) is one of the most common web security vulnerabilities. It occurs when an attacker injects malicious HTML or JavaScript into a web page. Proper entity encoding neutralizes this threat by ensuring that user-supplied content is displayed as text, not executed as code.

For example, if a user submits in a comment field, encoding it produces <script>alert('hacked')</script>, which renders harmlessly as visible text.

Correct Rendering

Without entity encoding, characters like &, <, and > can confuse the HTML parser and produce unexpected rendering results. Encoding ensures that what you write is exactly what the user sees.

Essential HTML Entities

Here are the most important entities every developer should know:

• < — Less-than sign (<)
• > — Greater-than sign (>)
• & — Ampersand (&)
• " — Double quotation mark (")
• ' — Apostrophe / single quote (')
•   — Non-breaking space
• © — Copyright symbol
• — — Em dash

Named vs. Numeric Entities

HTML entities can be written in two forms:

Named Entities

Named entities use descriptive words: &, <, ©. They are easier to read in source code but not every character has a named entity.

Numeric Entities

Numeric entities use the character's Unicode code point: & (decimal) or & (hexadecimal). They work for any Unicode character, making them useful for special symbols and international characters.

When to Use HTML Encoding

• User-generated content — Always encode before displaying comments, reviews, forum posts, or any user input
• Code examples — When showing HTML or code snippets on a web page
• Special symbols — Copyright, trademark, currency symbols, and mathematical operators
• Non-breaking spaces — Preventing unwanted line breaks in specific text

Tools for HTML Encoding

Our suite of HTML tools makes encoding and cleaning HTML effortless:

• HTML Entity Encoder — Convert special characters to their entity equivalents
• HTML Escape/Unescape — Escape HTML for safe embedding or unescape encoded content
• HTML to Text — Strip all HTML tags and extract plain text
• Remove HTML Tags — Selectively remove tags while preserving content

Best Practices

• Encode on output, not on input — store raw data and encode when rendering
• Use your framework's built-in escaping — React, Angular, and Vue all auto-escape by default
• Never trust user input — even if you sanitize, always encode as a defense-in-depth measure
• Test with edge cases including nested quotes, script tags, and Unicode characters

Related Resources

This article is part of our Complete Guide to Encoding, Decoding, and Security Tools.

Need a faster workflow? Try the HTML Escape/Unescape — Escape special HTML characters to entities or unescape HTML entities back to plain text.

Need a faster workflow? Try the AI Resume Summary — Generate an impactful, professional summary for your resume using AI-driven analysis. Pivot your career or highlight your key strengths in seconds.

Need a faster workflow? Try the JPG to PNG — Convert your JPG images to high-quality PNG format instantly. Ideal for web designers and developers who need lossless compression and transparency.

Need a faster workflow? Try the Text Case Converter — Quickly transform your text between different capitalization styles. Supporting Title Case, Sentence case, camelCase, snake_case, and more.