Convert special characters to HTML entities and decode HTML entities back to readable text. Essential for XSS prevention and web development.
| Character | Named | Numeric | Description |
|---|---|---|---|
| < | < | < | Less than |
| > | > | > | Greater than |
| & | & | & | Ampersand |
| " | " | " | Double quote |
| ' | ' | ' | Single quote |
| |   | Non-breaking space | |
| © | © | © | Copyright |
| ® | ® | ® | Registered |
| ™ | ™ | ™ | Trademark |
| € | € | € | Euro sign |
| — | — | — | Em dash |
| • | • | • | Bullet |
HTML entities are special codes used to represent characters that have special meaning in HTML or cannot be
typed on a standard keyboard. They start with & and end with ;. For example,
< represents the less-than sign (<) which would otherwise be interpreted as an HTML
tag.
HTML encoding is the primary defense against Cross-Site Scripting (XSS) attacks. By encoding user input
before displaying it on a page, you prevent malicious scripts from being executed. For example, encoding
<script> to <script> renders it as harmless text.
Always encode user-supplied content before inserting it into HTML. This includes form inputs, URL parameters, database content, and any data from external sources. Modern frameworks like React do this automatically.
Named entities (like &) are more readable. Numeric entities (like &) are more universal and support all Unicode characters. Named entities use fewer have browser support, while numeric work everywhere.