Why HTML entities exist
HTML uses angle brackets < and > for tags, and the ampersand & for entities themselves. If you want to display these characters as literal text on a page — not as HTML structure — you need to escape them:
<displays as: <>displays as: >&displays as: &"displays as: "'displays as: ' (HTML5 only; use'for broader support)
Without escaping, <script>alert(1)</script> written in page content would execute as JavaScript — this is how XSS (Cross-Site Scripting) attacks work. Properly escaping user-supplied content before rendering it in HTML is a critical security practice.
Encode HTML entities instantly with the free HTML entity encoder.
The five critical characters to always escape
| Character | Entity name | Numeric entity | Why escape it |
|---|---|---|---|
| < | < | < | Opens HTML tags |
| > | > | > | Closes HTML tags |
| & | & | & | Starts entities |
| " | " | " | Breaks quoted attributes |
| ' | ' | ' | Breaks single-quoted attributes |
Named entities for special characters
HTML also provides named entities for characters that don't require escaping but are common typographic needs:
— non-breaking space (prevents line break between two words)©— © copyright symbol®— ® registered trademark™— ™ trademark—— — em dash (the long dash)–— – en dash…— … horizontal ellipsis€— € euro sign£— £ pound sign
When you DON'T need entities
A common mistake: over-encoding everything. If your HTML file is saved as UTF-8 (which it should be in 2026), you can include most special characters directly:
© 2026works fine in UTF-8 HTML — no need for© 2026- Accented characters like
é,ñ,ücan be written directly - Emoji work directly in UTF-8 HTML (though some email clients are different)
You only need entities for:
- The five critical characters that have syntactic meaning in HTML (
<,>,&,",') - Characters that aren't reliably available in the document's character encoding (rare for UTF-8)
- Non-breaking space (
) and similar typographic controls
XSS prevention: the security angle
Cross-Site Scripting (XSS) is one of the most common web vulnerabilities. It occurs when user-supplied data is included in HTML output without escaping.
Unsafe pattern:
<!-- User searched for: <script>alert('xss')</script> -->
<p>Search results for: {{ user_query }}</p>If user_queryisn't escaped, the browser executes the script. Safe:
<p>Search results for: <script>alert('xss')</script></p>Most modern web frameworks (React, Vue, Angular, Django, Rails) auto-escape by default. The danger is when you bypass this with "raw" or "unsafe" output functions — dangerouslySetInnerHTML in React, v-html in Vue, |safein Django templates. Use these only when you control the content and have verified it doesn't contain user input.
Numeric entities
Every character can be referenced by its Unicode code point as a numeric entity:
- Decimal:
A= A (Unicode code point 65) - Hexadecimal:
A= A (0x41 hex = 65 decimal)
Numeric entities work for any Unicode character regardless of whether there's a named entity for it. They're useful for obscure symbols and special characters where the named entity isn't widely known.
Related tools
- Free HTML Entity Encoder/Decoder — encode HTML special characters for safe display
- Free URL Encoder/Decoder — percent-encode strings for URLs (different from HTML encoding)
Written by Achraf A., founder of TheFreeAITools.