Common HTML Entity Reference
| Char | Description | Named | Numeric |
|---|---|---|---|
| & | Ampersand | & | & |
| < | Less than | < | < |
| > | Greater than | > | > |
| " | Double quote | " | " |
| ' | Single quote / Apostrophe | ' | ' |
| Non-breaking space | |   | |
| © | Copyright | © | © |
| ® | Registered | ® | ® |
| ™ | Trademark | ™ | ™ |
| € | Euro sign | € | € |
| £ | Pound sign | £ | £ |
| ¥ | Yen sign | ¥ | ¥ |
| ¢ | Cent sign | ¢ | ¢ |
| — | Em dash | — | — |
| – | En dash | – | – |
| • | Bullet | • | • |
| … | Horizontal ellipsis | … | … |
| « | Left guillemet | « | « |
| » | Right guillemet | » | » |
| ← | Left arrow | ← | ← |
| → | Right arrow | → | → |
| ° | Degree | ° | ° |
| × | Multiplication | × | × |
| ÷ | Division | ÷ | ÷ |
How to use the HTML Entity Encoder
Some characters (<, >, &, ", ') need to be encoded as HTML entities to render safely without breaking markup or creating XSS vulnerabilities. The encoder converts in both directions.
Paste your text
Source can be plain text (with characters that need encoding) or already-encoded HTML (to decode back to plain text).
Pick the direction
Encode — text → HTML entities. Decode — HTML entities → text.
Pick the encoding scope
Minimal — only the 5 unsafe characters (< > & " '). Aggressive — every non-ASCII character converted to numeric entity.
Copy the result
Paste encoded text into HTML attributes, body content, or anywhere user-generated text might appear.
Why HTML entity encoding matters for security and rendering
Unencoded user input is the #1 source of XSS vulnerabilities. A user typing <script> into a comment field can hijack your site if the text isn't entity-encoded before rendering.
The five characters that always need encoding
- < →
<— prevents tag injection. - > →
>— prevents tag injection. - & →
&— prevents entity confusion. - " →
"— required inside double-quoted attributes. - ' →
'— required inside single-quoted attributes.
When entity encoding goes wrong
- Double-encoding — encoding already-encoded text produces
&lt;. - Encoding inside
<script>tags — JavaScript doesn't decode HTML entities, so encoded text appears literally. - Skipping attribute encoding —
title="User said "hi""breaks the attribute parse. - Encoding URL-only contexts — URLs need URL encoding (
%20), not HTML entity encoding ( ).
Frequently asked questions
What is HTML entity encoding?
Converting special characters (like <, >, &) to their entity equivalents (<, >, &) so they render as text instead of being interpreted as HTML markup. Critical for any user-generated content displayed on a page.
Which characters need to be encoded?
At minimum the five XML-significant characters: < > & " and '. Inside HTML attributes, all of these. Inside body content, just < > &. Modern frameworks (React, Vue) auto-encode by default — the manual encoding requirement is mostly for legacy templates and raw HTML generation.
What's the difference between named and numeric entities?
Named entities use letter abbreviations: © for ©. Numeric entities use Unicode codepoints: © for the same © (decimal) or © (hex). Named entities are more readable but limited to a fixed set; numeric entities work for any Unicode character.
Do I still need to encode in modern frameworks?
Less often. React, Vue, Angular, and Svelte all auto-encode template content by default. You only need manual encoding when (1) using dangerouslySetInnerHTML or equivalent, (2) generating raw HTML strings server-side without a template engine, or (3) building HTML attributes from user data.
Does HTML entity encoding prevent XSS attacks?
It's a key defense layer. Encoding user-generated text before rendering it as HTML prevents script-injection. But encoding alone isn't enough — input validation, Content Security Policy, and proper attribute quoting are also required. Treat entity encoding as one piece of a defense-in-depth strategy.