UTILYARD
tools / developer

HTML Entity Encoder

Encode and decode HTML entities and special characters.

INPUT

COMMON ENTITIES

&&
<&lt;
>&gt;
"&quot;
'&#39;
/&#x2F;
©&copy;
®&reg;
&trade;
&mdash;
&ndash;
·&nbsp;

FAQ

What are HTML entities?
HTML entities are special codes used to represent characters that would otherwise be interpreted as HTML markup, such as < and >. They start with & and end with ;.
When do I need to encode HTML?
Whenever you display user-provided content in HTML, insert code examples into a page, or write characters like <, >, &, or " inside HTML attributes.
What is the difference between encoding and escaping?
They mean the same thing in this context — converting characters to their entity equivalents so they render as literal text rather than being parsed as HTML.
Does this encode all special characters?
This tool encodes the characters most commonly required for XSS prevention and safe HTML rendering: &, <, >, ", ', /, and `. For full Unicode entity encoding, additional characters may be needed.

ABOUT THIS TOOL

Paste text to convert special characters like <, >, &, and © into their HTML entity equivalents, or decode entities back to readable characters. HTML entities exist because certain characters have structural meaning in markup — a literal < would be read as the start of a tag — so encoding them as &lt;, &gt;, &amp;, and similar named or numeric codes (like &#169; for ©) lets you display them as visible text instead. Useful when writing HTML content by hand, sanitizing user input, or troubleshooting rendering issues where text either shows up as broken tags or displays literal entity codes instead of the character they represent.

HOW TO USE

  1. Choose Encode or Decode mode.
  2. Paste the text or HTML snippet you want to convert.
  3. For encoding, the tool converts reserved characters (<, >, &, ", ') and non-ASCII symbols into named or numeric entities.
  4. For decoding, it converts entities like &amp; or &#39; back into the literal character.
  5. Review the output to confirm characters like quotes and ampersands look correct.
  6. Copy the result into your HTML template, CMS field, or sanitization pipeline.

COMMON USE CASES

  • A developer writing raw HTML by hand needs to display a literal < or & symbol as visible text without it being parsed as markup.
  • Someone building a comment system encodes user-submitted text before rendering it to prevent stray HTML or script tags from executing.
  • A content editor troubleshoots a page showing "&amp;" instead of "&" by decoding entities to see what the underlying text actually contains.
  • A developer migrating content from an old CMS export decodes a batch of entity-encoded text to get clean plain text for a database import.
  • Someone documenting code snippets on an HTML page encodes angle brackets so example markup displays as text instead of rendering as real elements.

TIPS & COMMON MISTAKES

  • Encoding HTML entities is not the same as full XSS sanitization — it prevents characters from being parsed as markup, but a real sanitizer library should still be used for anything rendered from untrusted user input.
  • The characters that matter most for basic HTML safety are <, >, &, ", and ' — encoding just these covers most injection risks in simple text contexts.
  • Named entities (&amp;, &copy;) and numeric entities (&#38;, &#169;) are interchangeable in HTML — numeric codes work for any Unicode character, while named entities only exist for a defined common subset.
  • Double-encoding is a common mistake: running already-encoded text through the encoder again turns &amp; into &amp;amp;, so check whether your input is already escaped first.

MORE QUESTIONS

Does HTML entity encoding protect against XSS attacks?
It helps by preventing characters like < and > from being parsed as tags, but it's not a complete solution on its own — proper XSS prevention also depends on context (HTML body vs attribute vs JavaScript) and should generally use a dedicated sanitization library, not entity encoding alone.
What's the difference between &nbsp; and a regular space?
&nbsp; is a non-breaking space entity that prevents line wrapping at that point, and unlike a regular space, HTML won't collapse multiple consecutive &nbsp; entities the way it collapses regular whitespace.
Why do I see literal text like "&amp;" on my webpage instead of "&"?
This usually means the text was encoded once for storage but then encoded a second time before display (double-encoding), or it's being rendered inside a context, like a <pre> or <textarea>, that shows raw markup instead of rendering it.
Do numeric entities work for any character, including emoji?
Yes — a numeric entity like &#128512; references a character by its Unicode code point, so it can represent any character including emoji, whereas named entities only cover a fixed, predefined list.

RELATED GUIDES

What are HTML Entities?
Why some characters must be escaped in HTML, how named and numeric entities work, a reference table of common entities, and the XSS security implications.
Read →
HTML Entity Encoder — UtilYard