Convert special characters to their HTML entity equivalents or decode entities back to readable text. Essential for safely embedding content in HTML.
| Character | Named | Numeric | Description |
|---|---|---|---|
| & | & | & | Ampersand |
| < | < | < | Less than |
| > | > | > | Greater than |
| " | " | " | Double quote |
| ' | ' | ' | Single quote / Apostrophe |
| ␣ | |   | Non-breaking space |
| — | — | — | Em dash |
| – | – | – | En dash |
| © | © | © | Copyright |
| ® | ® | ® | Registered |
| ™ | ™ | ™ | Trademark |
| € | € | € | Euro sign |
| £ | £ | £ | Pound sign |
| ¥ | ¥ | ¥ | Yen sign |
| ¢ | ¢ | ¢ | Cent sign |
| … | … | … | Horizontal ellipsis |
| • | • | • | Bullet |
| § | § | § | Section sign |
| « | « | « | Left double angle quote |
| » | » | » | Right double angle quote |
HTML entities are special sequences that represent characters which have reserved meaning in HTML or are not easily typed on a keyboard. For example, the < character starts an HTML tag, so to display it as text you write < instead. Every entity starts with an ampersand (&) and ends with a semicolon (;).
HTML supports two formats. Named entities like &, <, and © use a human-readable name. Numeric entities like & and & use the Unicode code point in decimal or hexadecimal. Named entities are easier to read; numeric entities cover every Unicode character.
Cross-Site Scripting (XSS) attacks exploit unescaped user input rendered as HTML. If a user submits <script>alert('hacked')</script> and your app renders it raw, the browser executes the script. Encoding special characters to entities neutralizes these payloads — the browser displays the text instead of executing it. Always encode user-generated content before inserting it into HTML.
Always set <meta charset="UTF-8"> in your HTML head. With UTF-8, most characters can be written directly. However, the five characters that have special meaning in HTML (&, <, >, ", ') should always be encoded in attribute values and text content to prevent parsing errors.
Our web development team builds secure, standards-compliant web applications with proper input sanitization and encoding. Get in touch for a consultation.
<, >, &, and " into their HTML entity equivalents.Five characters have special meaning in HTML and must be encoded when used as content: & (ampersand), < (less than), > (greater than), " (double quote inside attributes), and ' (single quote inside attributes). Failing to encode these can break your markup or open XSS vulnerabilities. Convert your encoded HTML to Markdown with our HTML to Markdown converter when migrating content.
XSS attacks inject malicious scripts through unescaped user input. When you encode <script> as <script>, the browser displays it as text instead of executing it. Always encode user input on the server side before rendering — client-side encoding alone is not sufficient for security.
Named entities (&, ©) are more readable and recommended for common characters. Numeric entities (&, ©) cover the full Unicode range and are necessary for characters without named equivalents. For production web applications with proper encoding, our web development team implements server-side sanitization libraries that handle encoding automatically.