HTML Entity Encoder
Encode and decode HTML entities
How to use HTML Entity Encoder
- Choose Encode or Decode mode.
- Paste your text into the input area.
- The output updates in real time.
- Enable Encode all non-ASCII to convert unicode characters to numeric entities.
HTML entities explained
HTML entities represent reserved characters in HTML. When you write < in HTML, the browser interprets it as the start of a tag. To display a literal less-than sign, you write < instead.
There are named entities (&, <, ©) and numeric entities (&, <, ©). Named entities are easier to read in source code. Numeric entities work for any Unicode character.
Encoding user-generated content before inserting it into HTML is a fundamental security practice that prevents cross-site scripting (XSS) attacks.
Frequently Asked Questions
What characters need to be encoded in HTML?
The five mandatory characters are: & (&), < (<), > (>), " ("), and ' ('). These have special meaning in HTML and must be escaped to display literally.
Should I encode all characters or just special ones?
For most cases, encoding only special characters (&, <, >, ", ') is sufficient. Full encoding (all non-ASCII to numeric entities) is useful when you need ASCII-safe output.
What is the difference between named and numeric entities?
Named entities like & are human-readable. Numeric entities like & use the Unicode code point. Both produce the same result in browsers.
Is this useful for preventing XSS?
Yes. Encoding user input before inserting it into HTML prevents script injection. However, proper output encoding should be done server-side, not manually.