HTML Entities, Quick Facts
- •HTML reserves five characters that need escaping to appear as literal text:
< > & " '. - •Named entities like
&and numeric entities like&both render the same character, browsers accept either form. - •Failing to escape user input before inserting it into HTML is one of the root causes of Cross-Site Scripting (XSS) vulnerabilities.
- •Entities are HTML/XML-specific, they have nothing to do with URL encoding or Base64, keep them straight when debugging a broken page.
The Real Problem This Solves
Paste a raw < or & into an HTML document and the browser tries to parse it as a tag or entity, silently breaking your layout or, worse, opening the door to script injection if the text came from a user.
This tool escapes special characters into safe entities, or decodes an entity-laden string back into plain, readable text.
How Entity Encoding Works
Encoding replaces each reserved character with its named entity equivalent, so the browser renders it as a visible character instead of interpreting it as markup. Decoding does the reverse, using the browser's own parser to resolve every named and numeric entity back to plain text, covering the full HTML5 entity set, not just the basic five.
Example: Save 10% on "Home Loans" & EMIs encodes to Save 10% on "Home Loans" & EMIs, which a browser renders back exactly as the original text, safely, no matter where it's inserted into a page.
| Character | Named Entity | Numeric Entity |
|---|---|---|
| < | < | < |
| > | > | > |
| & | & | & |
| " | " | " |
| ' | ' | ' |
Frequently Asked Questions
Why is escaping HTML important for security?
If user-supplied text is inserted into a page without escaping, a value containing a real <script> tag gets executed as real code instead of displayed as text, this is the core mechanism behind Cross-Site Scripting (XSS) attacks. Escaping the five reserved characters neutralises this.
What's the difference between a named and numeric entity?
They render identically. A named entity like & is more readable in source code; a numeric entity like & works even in contexts that do not recognise the named form, like some XML parsers or older systems.
Should I encode all non-ASCII characters?
Not usually, modern pages are UTF-8 by default and display accented letters, emoji, and non-English scripts natively. Only enable "encode non-ASCII" if you're working with a legacy system or strict ASCII-only pipeline.
Is this the same as URL encoding?
No, they solve different problems. HTML entity encoding protects characters that have meaning inside HTML markup; URL encoding protects characters that have meaning inside a URL. A value often needs both, encoded for the URL first, then escaped again if it is later displayed in HTML.
Does decoding execute any scripts in my input?
No. Decoding runs through the browser's HTML parser in a detached, unattached element purely to resolve entities to text; nothing in your input is ever rendered as live, executable markup.
That text also going into a URL?
HTML entities and URL encoding solve different problems and are often needed together. Percent-encode a value for a query string with our URL Encoder/Decoder.
Open URL Encoder/Decoder →