HTML Entity Encoder & Decoder

Convert raw text strings to escaped HTML entities to prevent rendering issues and guard against Cross-Site Scripting (XSS) injections.

Source Content

Processed Output

Encode Only Special Characters (&, <, >, ", ')

Quick Entity Reference Table (Click to Copy)

Ampersand

Less Than

Greater Than

Double Quote

Single Quote

Registered

(space)

Non-Breaking Space

Deep Dive: HTML Entity Architectures, SGML Origins, & XSS Sanitization

What is an HTML Entity?

An HTML entity is a structured string of characters used in web documents to represent reserved symbols or characters that are either not present on standard keyboards or would otherwise disrupt browser HTML parsing engines. Every standard HTML entity begins with an ampersand symbol (`&`) and ends with a terminating semicolon (`;`). Characters can be referenced by a standard name (named entity, e.g. `<` for `<`) or by a decimal/hexadecimal unicode coordinate (numeric entity, e.g. `<` or `<`).

HTML engines treat characters like `<` and `>` as structural tag open/close indicators. If a developer needs to display the mathematical equation `x < y` inside a web page, typing the `<` symbol directly can confuse the parser, which thinks a new HTML tag is starting. By escaping it to `x < y`, the rendering engine displays the character safely without attempting to parse a tag.

Named vs Numeric Entities

Named entities are easy to remember but are limited to standard sets (like `©`). Numeric unicode entities (like `😀` for emojis) cover the entire, massive multi-plane Unicode character matrix.

Preventing XSS Injections

Cross-Site Scripting (XSS) occurs when malicious user inputs are injected into a web page and executed. Converting user-submitted `<script>` tags to `<script>` renders the text safely without executing it.

Critical Reserved HTML Entities Reference

The W3C specifies five core XML/HTML entities that must always be escaped inside document schemas to avoid tag breakdown:

Raw Glyph	Standard Named Entity	Numeric Decimal Entity	Primary HTML parsing risk
`&`	`&`	`&`	Confused by browsers as the beginning of another HTML entity definition.
`<`	`<`	`<`	Confused by browsers as the beginning of a custom HTML element tag.
`>`	`>`	`>`	Confused by browsers as the closing bracket of an HTML element tag.
`"`	`"`	`"`	Disrupts attribute values enclosed in double quotes (e.g. `value="..."`).
`'`	`'`	`'`	Disrupts attribute values enclosed in single quotes (e.g. `href='...'`).

Cross-Platform Content Delivery Guidelines

Modern standard UTF-8 encodings have reduced the need to escape most non-ASCII glyphs (like accented characters or mathematical operators) on standard web pages. However, escaping the five core special characters remains a critical best practice for securing form submissions, rendering code blocks safely, and sanitizing API inputs against script exploits.