Common HTML Entities
| < | < |
| > | > |
| & | & |
| " | " |
| ' | ' |
| / | / |
Encode & Decode HTML Entities Online
Convert special characters into HTML entities to prevent XSS attacks and display reserved HTML characters correctly. Essential for web security, displaying code snippets, and handling user-generated content safely.
Perfect for developers sanitizing user input, displaying code examples, and anyone working with HTML special characters and entities.
| < | < |
| > | > |
| & | & |
| " | " |
| ' | ' |
| / | / |
HTML encoding converts special characters into HTML entities to prevent XSS (Cross-Site Scripting) attacks and display reserved HTML characters correctly. Characters like <, >, &, ", and ' have special meanings in HTML and must be encoded as <, >, &, ", and ' to be displayed as text rather than interpreted as HTML code. Our HTML encoder protects your web applications from injection attacks by sanitizing user input, and helps display code snippets, special characters, and symbols correctly on web pages. The tool supports both named entities ( ) and numeric entities ( ), with automatic detection of input format.
Unencoded user input is the #1 cause of XSS attacks where hackers inject malicious scripts into web pages. HTML encoding prevents these attacks by converting dangerous characters into safe entities that browsers display as text, not code. It's essential for displaying user-generated content (comments, reviews, forum posts), showing code examples, rendering special characters (©, ®, €), and preventing HTML injection. Without proper encoding, attackers can steal cookies, hijack sessions, deface websites, and compromise user data. Modern web frameworks automatically encode output, but manual encoding is often needed for legacy systems, APIs, and special cases.
Input: <script>alert('XSS')</script>
Output: <script>alert('XSS')</script>
Use Case: Prevent XSS attacks by encoding user-submitted content before displaying it on web pages.
Input: <div class="container">Hello</div>
Output: <div class="container">Hello</div>
Use Case: Show HTML code examples on documentation pages without the browser interpreting them as actual HTML.
Input: Price: $100 & up
Output: Price: $100 & up
Use Case: Display ampersands and other special characters correctly in HTML without breaking the page structure.
HTML encoding converts special characters into HTML entities (e.g., < becomes <). This prevents browsers from interpreting characters as HTML code and protects against XSS attacks.
Always encode: < (<), > (>), & (&), " ("), ' ('). Also encode special symbols when needed: © (©), ® (®), € (€), non-breaking space ( ).
Named entities use names ( , ©). Numeric entities use numbers ( , ©). Both work identically. Named entities are more readable; numeric entities support all Unicode characters.
XSS attacks inject malicious scripts like <script>. HTML encoding converts < to <, so browsers display the text instead of executing the script. This neutralizes the attack.
Yes! Always encode user input before displaying it in HTML. This includes comments, reviews, usernames, search queries, and any user-generated content. Never trust user input.
HTML encoding uses entities (<) for displaying text in HTML. URL encoding uses percent-encoding (%20) for transmitting data in URLs. Use the right encoding for the right context.
Yes, but only encode the content you want to display as text, not the HTML structure itself. Encoding an entire page would display the HTML code instead of rendering it.
Paste text with HTML entities into our decoder. It converts entities back to their original characters, making the text human-readable again.
Yes! When inserting user content into HTML via JavaScript (innerHTML, insertAdjacentHTML), always encode it first. Use textContent instead of innerHTML when possible - it auto-encodes.
React, Vue, Angular, and most modern frameworks automatically encode output by default. However, when using dangerouslySetInnerHTML or v-html, you must manually encode user content.
Get $200 free DigitalOcean credit or sponsor us on GitHub!