Skip to main content

Html Entities

HTML entities encode characters that have special meaning in HTML (<, >, &, ") and characters outside the ASCII range (accented letters, symbols, emoji). Proper encoding prevents XSS vulnerabilities when displaying user input and ensures text renders correctly across all browsers and character sets.

Input

Output

Share this tool
Developer Tools

About the HTML Entity Encoder / Decoder

HTML entities encode characters that have special meaning in HTML (<, >, &, ") and characters outside the ASCII range (accented letters, symbols, emoji). Proper encoding prevents XSS vulnerabilities when displaying user input and ensures text renders correctly across all browsers and character sets.

How to use it

  1. Paste text to encode HTML entities: & → &amp;, < → &lt;, > → &gt;, " → &quot;.
  2. Or paste HTML entities to decode them back to readable characters.
  3. Toggle between named entities (&amp;), decimal (&#38;), and hex (&#x26;) encoding.
  4. Use the XSS-safe mode to encode all potentially dangerous characters.

Formula & methodology

Named: & → &amp; < → &lt; > → &gt; " → &quot; ' → &#39; or &apos; (HTML5). Decimal: char → &#[decimal]; Hex: char → &#x[hex]; Special: copyright → &copy; trademark → &trade; registered → &reg; em-dash → &mdash; rsquo → &rsquo; ellipsis → &hellip;

Common use cases

  • Security: encoding user input before inserting into HTML to prevent XSS
  • Email templates: encoding special characters for email client compatibility
  • CMS: ensuring article content with < or > renders correctly
  • API responses: encoding HTML in JSON strings
  • Troubleshooting: diagnosing why & shows as &amp; in a page

Frequently asked questions

In JSON itself: no (JSON uses backslash escaping, not HTML entities). But if the JSON is output into an HTML context (embedded in a <script> tag or rendered directly in HTML), you must encode it. The dangerous case: PHP echo json_encode($data) inside a <script> — an attacker can inject </script> to break out. Always encode contextually, not generically.
Both represent the & character. &amp; is the named entity reference (human-readable). &#38; is the decimal numeric character reference. &#x26; is the hex numeric reference. All three produce identical output in the browser. Named entities are preferred for readability; numeric references are useful for characters without a named form.

Related tools

All Tools →

Embed this tool on your site

Free for personal and commercial use. Just copy the snippet below.

to break out. Always encode contextually, not generically."}},{"@type":"Question","name":"What is the difference between & and &?","acceptedAnswer":{"@type":"Answer","text":"Both represent the & character. & is the named entity reference (human-readable). & is the decimal numeric character reference. & is the hex numeric reference. All three produce identical output in the browser. Named entities are preferred for readability; numeric references are useful for characters without a named form."}}]}