What characters need to be HTML encoded?

The most important characters to encode are: (greater than), & (ampersand), " (double quote), and ' (single quote/apostrophe). These are the characters that have special meaning in HTML.

Do I need to encode all special characters or just the five main ones?

For security and correctness, the five critical characters are & " and '. However, you may also want to encode non-ASCII characters (like accented letters or symbols) using numeric character references if your page encoding is not UTF-8, or for maximum compatibility.

What is the difference between named and numeric HTML entities?

Named entities use a descriptive name like & for ampersand or < for less-than. Numeric entities use the character's Unicode code point, like & (decimal) or & (hexadecimal) for ampersand. Both are valid. Named entities are more readable, while numeric entities can represent any Unicode character.

How does HTML encoding prevent XSS attacks?

Cross-site scripting (XSS) attacks inject malicious scripts through user input. By encoding characters like to < and >, the browser displays them as text instead of interpreting them as HTML tags. This prevents any injected script tags from executing.

HTML Encoder/Decoder - Encode & Decode HTML Entities

How to Use the HTML Encoder/Decoder

To Encode: Select the Encode tab, paste your text or HTML into the input area, and click Encode. All special characters will be converted to their HTML entity equivalents.
To Decode: Select the Decode tab, paste HTML-encoded text into the input area, and click Decode. All HTML entities will be converted back to readable characters.
Click Copy to copy the result to your clipboard.

About HTML Encoding

HTML encoding is the process of replacing special characters with their corresponding HTML entities. Characters like angle brackets, ampersands, and quotation marks have special meaning in HTML, so they must be encoded when you want them to appear as literal text on a web page. Without proper encoding, browsers will interpret these characters as HTML markup, potentially breaking your page layout or creating security vulnerabilities.

HTML encoding is essential for preventing cross-site scripting (XSS) attacks, one of the most common web security vulnerabilities. When user-supplied data is displayed on a web page without encoding, malicious scripts can be injected and executed in other users' browsers. This tool converts all dangerous characters to safe HTML entities, ensuring your content is both secure and correctly displayed.

Common HTML Encoding Examples

Below are practical examples showing how HTML encoding works in real-world scenarios. These demonstrate why encoding is essential for both security and correct display.

Displaying Code in HTML

When you want to show HTML tags as text on a web page, you must encode them:

Input:  <div class="container">Hello</div>
Encoded: &lt;div class=&quot;container&quot;&gt;Hello&lt;/div&gt;

Encoding Ampersands in URLs within HTML

Input:  <a href="page?name=John&age=30">Link</a>
Correct: <a href="page?name=John&amp;age=30">Link</a>

Preventing XSS in User Input

User input:  <script>alert('hacked')</script>
Encoded:     &lt;script&gt;alert(&#39;hacked&#39;)&lt;/script&gt;
Browser shows as text, not as executable code.

Special Characters in Attribute Values

Input:  <input value="He said "hello"">
Encoded: <input value="He said &quot;hello&quot;">

Mathematical and Typography Symbols

&copy;   = ©  (copyright)
&trade;  = ™  (trademark)
&reg;    = ®  (registered)
&euro;   = €  (euro sign)
&pound;  = £  (pound sign)
&mdash;  = —  (em dash)
&ndash;  = –  (en dash)

HTML Entities Quick Reference

This table lists the most commonly used HTML entities. The five critical encoding characters are listed first, followed by useful symbols.

Character	Named Entity	Numeric Entity	Description
&	`&`	`&`	Ampersand
<	`<`	`<`	Less than
>	`>`	`>`	Greater than
"	`"`	`"`	Double quote
'	`'`	`'`	Single quote / apostrophe
	` `	` `	Non-breaking space
©	`©`	`©`	Copyright symbol
—	`—`	`—`	Em dash
€	`€`	`€`	Euro sign

Why HTML Encoding Matters for Web Security

HTML encoding is one of the most fundamental security practices in web development. Cross-site scripting (XSS) consistently ranks among the top web application vulnerabilities, and the primary defense against it is proper output encoding. When a web application displays user-supplied data without encoding it first, any HTML or JavaScript in that data will be interpreted by the browser as active content rather than text. An attacker can exploit this by submitting malicious scripts through form fields, URL parameters, or any other input that eventually gets rendered on a page.

The encoding process transforms dangerous characters into their safe entity equivalents. A <script> tag becomes <script>, which the browser renders as visible text rather than executing as code. This simple transformation neutralizes the attack while preserving the visual content. Modern web frameworks like React, Angular, and Vue automatically encode output by default, but developers working with raw HTML, server-side templates, or legacy systems must handle encoding manually.

Beyond security, HTML encoding ensures correct rendering. An unencoded ampersand in the middle of text can confuse the HTML parser, causing it to interpret the following characters as the start of an entity. Unencoded angle brackets can create unexpected elements in the DOM. By consistently encoding these characters, you guarantee that your content displays exactly as intended across all browsers and devices.

Frequently Asked Questions

HTML encoding converts special characters like <, >, &, and quotes into their HTML entity equivalents (e.g., <, >, &). This prevents browsers from interpreting them as HTML markup.

Encoding HTML entities prevents cross-site scripting (XSS) attacks and ensures special characters display correctly in web pages rather than being interpreted as HTML tags or attributes.

The most important characters to encode are: < (less than), > (greater than), & (ampersand), " (double quote), and ' (single quote). These characters have special meaning in HTML and can break your markup or create vulnerabilities if left unencoded.

Yes. All encoding and decoding happens entirely in your browser. No data is sent to any server, so your content remains completely private.

HTML encoding converts characters to HTML entities (like & for &) for safe display in web pages. URL encoding converts characters to percent-encoded form (like %26 for &) for safe inclusion in URLs. They serve different purposes and use different encoding schemes.

For security and correctness, the five critical characters are < > & " and '. However, you may also want to encode non-ASCII characters using numeric character references if your page encoding is not UTF-8, or for maximum compatibility across all systems.

Named entities use a descriptive name like & for ampersand. Numeric entities use the character's Unicode code point, like & (decimal) or & (hexadecimal). Both are valid HTML. Named entities are more readable, while numeric entities can represent any Unicode character.

Cross-site scripting (XSS) attacks inject malicious scripts through user input. By encoding characters like < and > to < and >, the browser displays them as text instead of interpreting them as HTML tags. This prevents any injected script tags from executing in other users' browsers.

HTML Encoder/Decoder