HTML Entity Encoder
Free HTML entity encoder and decoder. Convert ampersands, angle brackets, and quote marks to and from their HTML-safe entity form for templates and emails.
Quick answer
HTML entity encoding replaces special characters with named or numeric entities so they render as text instead of being parsed as markup. & becomes &, < becomes <, > becomes >, " becomes ", ' becomes '.
HTML Entity Encoder / Decoder
How it works
Converts HTML reserved characters (&, <, >, ", ') to their entity equivalents so they render as text instead of being parsed as markup. Decoding does the reverse.
When to use it
Displaying code snippets inside HTML pages, sanitizing user input before rendering it, escaping content for inclusion in attribute values, or unescaping data scraped from HTML sources.
Common mistakes
Encoding text that's already encoded (double-encoding) — & becomes &amp;. Always check whether your input is raw or already escaped before running it through.
How HTML entity encoding works
HTML reserves several characters for markup syntax: ampersand starts entities, angle brackets delimit tags, quotes delimit attributes. To display these characters as text rather than have them parsed as markup, replace each with its entity equivalent. The five most common entities are amp, lt, gt, quot, and apos (or #39 for single quote). For non-ASCII characters or custom symbols, numeric entities like € (€) work everywhere.
When to use it
Embedding code samples in HTML so the markup itself displays as text. Rendering user-generated content safely — always entity-encode user input before injecting into HTML to prevent XSS attacks. Sending HTML in email where some clients aggressively interpret raw markup. Documenting templates or configuration where literal angle brackets need to survive parsing.
Common mistakes
- Forgetting to encode the ampersand. & in URLs and copy gets parsed as the start of an entity. Always encode it as &.
- Encoding inside attributes incorrectly. Single-quoted attributes need single-quote escaping; double-quoted need double-quote escaping. Mixing them creates broken markup.
- Trusting innerHTML to handle user input. Setting innerHTML with user content is unsafe — it executes scripts and parses tags. Use textContent for plain text, or entity-encode first if you must use innerHTML.
Frequently asked questions
What is an HTML entity?
An HTML entity is a special sequence (starting with & and ending with ;) that represents a single character. & represents the literal & character; < represents <. They let you display characters that would otherwise be interpreted as markup.
Which characters must be entity-encoded?
The five 'mandatory' entities for safe HTML: & (&), < (<), > (>), " ("), and ' (' or '). For non-ASCII characters, numeric entities (&#nnnn;) work as a fallback when named entities aren't available.
Is HTML entity encoding the same as URL encoding?
No. URL encoding replaces unsafe-in-URLs characters with % followed by hex (space = %20). HTML encoding replaces markup-significant characters with named entities (< = <). They serve different layers — URL for transport, HTML for display.