Last updated
Encoding and Decoding Basic HTML Entities
The HTML Entity Encoder Decoder converts between characters and their HTML entity representations in both directions. Here are the most essential conversions:
/* Encoding: characters → entities */
Input: < > & " '
Output: < > & " '
/* Decoding: entities → characters */
Input: <div class="hello">World & Beyond</div>
Output: <div class="hello">World & Beyond
/* Mixed content encoding */
Input: Tom & Jerry <cartoon> © 2024
Output: Tom & Jerry <cartoon> © 2024XSS Prevention with Entity Encoding
Encoding user input before rendering it in HTML is the primary defense against cross-site scripting attacks:
/* Malicious user input */
/* Without encoding — dangerous! */
<p>User said: </p>
<!-- The script executes in the browser -->
/* With entity encoding — safe */
<p>User said: <script>alert('XSS Attack!')</script></p>
<!-- Displays as literal text, no execution -->
/* Attribute injection attack */
User input: " onclick="stealData()
Without encoding: <input value="" onclick="stealData()"> ← executes!
With encoding: <input value="" onclick="stealData()"> ← safeNamed Entity Reference Table
HTML5 defines named entities for hundreds of special characters. Here are the most commonly used ones:
/* Punctuation and typography */
→ (non-breaking space)
— → — (em dash)
– → – (en dash)
… → … (ellipsis)
“ → " (left double quote)
” → " (right double quote)
‘ → ' (left single quote)
’ → ' (right single quote)
/* Legal and commercial symbols */
© → © (copyright)
® → ® (registered trademark)
™ → ™ (trademark)
/* Currency */
€ → € (euro)
£ → £ (pound sterling)
¥ → ¥ (yen/yuan)
¢ → ¢ (cent)
/* Math */
× → × (multiplication)
÷ → ÷ (division)
± → ± (plus-minus)
≠ → ≠ (not equal)
≤ → ≤ (less than or equal)
≥ → ≥ (greater than or equal)
∞ → ∞ (infinity)
° → ° (degree)Numeric Character References
Any Unicode character can be encoded as a decimal or hexadecimal numeric reference, useful for characters without named entities:
/* Decimal format: &#[number]; */
© → © (copyright sign)
€ → € (euro sign)
♥ → ♥ (heart suit)
✓ → ✓ (check mark)
😀 → 😀 (emoji)
/* Hexadecimal format: &#x[hex]; */
© → © (copyright sign)
€ → € (euro sign)
♥ → ♥ (heart suit)
✓ → ✓ (check mark)
😀 → 😀 (emoji)
/* Named vs numeric — same result */
© = © = © → ©Decoding Double-Encoded Entities
Double encoding happens when content is encoded twice, often accidentally. The decoder helps identify and fix this:
/* Original text */
Tom & Jerry
/* Encoded once (correct) */
Tom & Jerry
/* Encoded twice (problem — displays & literally) */
Tom & Jerry
/* Decoding once */
Input: Tom & Jerry
Output: Tom & Jerry
/* Decoding twice */
Input: Tom & Jerry
Output: Tom & Jerry
/* Common cause: template engine + manual encoding */
// Wrong: double encoding
const name = htmlEncode(userInput); // encodes &
template.render({ name: name }); // template also encodes → double encoded
// Correct: let the template handle encoding
template.render({ name: userInput }); // template encodes onceEncoding HTML Attribute Values
Attribute values require careful encoding to prevent injection attacks. Both quotes and angle brackets must be encoded:
/* Safe attribute encoding examples */
/* Title attribute with special characters */
<span title="Tom & Jerry — Classic Cartoon">...</span>
/* Alt text with quotes */
<img src="photo.jpg" alt=""The Best" Award Winner">
/* Data attributes with JSON */
<div data-config="{"key":"value","count":42}">...</div>
/* URL in href with ampersand */
<a href="https://example.com/search?a=1&b=2">Search</a>
/* Unsafe — breaks attribute context */
<img alt="User's "photo""> ← breaks HTML parsing
<img alt="User's "photo""> ← safeEmail Template Entity Encoding
Email clients have inconsistent HTML support. Entity encoding ensures special characters display correctly everywhere:
/* Email subject line special characters */
Subject: 50% Off — Today Only!
Encoded: 50% Off — Today Only!
/* Email body with currency and symbols */
<p>Your order total: £29.99 (incl. VAT)</p>
<p>Discount applied: −10% — saving you £3.33</p>
<p>Thank you for shopping with us ♥</p>
/* Preheader text encoding */
<span style="display:none;">
Save 20% — offer ends midnight © 2024 ShopName
</span>
/* Safe rendering across Outlook, Gmail, Apple Mail */
→ non-breaking space (prevents line breaks in prices)
— → em dash (better than -- in email copy)
© → © (copyright in footer)