DeveloperApril 2026 ยท 5 min read

How to Encode and Decode HTML Entities

HTML entities are escape sequences that represent characters with special meaning in HTML. The ampersand (&) becomes &, the less-than sign (<) becomes <, and the quote (") becomes ". Encoding these characters prevents them from being interpreted as HTML markup โ€” which is essential for displaying code examples, preventing XSS attacks, and handling user input safely.

๐Ÿ”ฃ
Try the HTML Entity Encoder
Free, no signup
โ†’
DG
Derek Giordano
Designer & Developer
In this guide
01Characters That Must Be Encoded02Named vs Numeric Entities03Encoding for Security (XSS Prevention)04Using the HTML Entity Encoder
โšก Key Takeaways
  • Convert special characters to HTML entities and decode entity strings.
  • Covers characters that must be encoded.
  • Covers named vs numeric entities.
  • Covers encoding for security (xss prevention).
  • Covers using the html entity encoder.

Characters That Must Be Encoded

Five characters have special meaning in HTML and must be encoded when used as content: & (ampersand) โ†’ &. < (less than) โ†’ <. > (greater than) โ†’ >. " (double quote) โ†’ ". ' (single quote) โ†’ ' or '. If you include a raw < in your HTML content, the browser interprets it as the start of a tag. Encoding prevents this misinterpretation.

Named vs Numeric Entities

Named entities use a mnemonic name: & < > © ™. Numeric entities use the Unicode code point: & < > ©. Hex numeric entities use the hex code point: & < >. Named entities are more readable but not every character has a name. Numeric entities work for any Unicode character.

๐Ÿ’ก Tip
Always include -webkit-backdrop-filter alongside backdrop-filter for Safari support. Without the prefix, the effect is invisible to roughly 25% of mobile users.

Encoding for Security (XSS Prevention)

Cross-site scripting (XSS) attacks inject malicious HTML/JavaScript through user input. If a user enters and your site renders it unencoded, the script executes. Always encode user input before rendering it in HTML. Server-side frameworks do this automatically in templates, but be aware of contexts where raw rendering is enabled. The HTML Entity Encoder encodes any string for safe HTML display.

โš  Warning
On iOS Safari, backdrop-filter inside a position: fixed element can cause severe scroll performance issues. Test thoroughly on real iOS devices.

Using the HTML Entity Encoder

Paste any text into the HTML Entity Encoder to encode all special characters into their entity equivalents. Switch to decode mode to convert entity strings back to readable text. The tool handles named entities, decimal entities, and hex entities in both directions.

Frequently Asked Questions

What are HTML entities?+
HTML entities are escape sequences that represent special characters. They prevent characters like < and & from being interpreted as HTML markup. Format: &name; or &#number; or &#xhex;
Which characters need HTML encoding?+
At minimum: & (ampersand), < (less than), > (greater than), " (double quote), and ' (single quote). These characters have special meaning in HTML and must be encoded when used as content.
Why is HTML encoding important for security?+
Encoding prevents cross-site scripting (XSS) attacks. Without encoding, user-supplied content containing