What Are HTML Entities?

HTML entities are special codes used to represent characters that have special meaning in HTML or that cannot be easily typed on a keyboard. Every HTML entity starts with an ampersand (&) and ends with a semicolon (;). There are two types: named entities use descriptive names (like < for less-than) and numeric entities use the Unicode code point (like < for the same character). Both produce identical results in the browser.

Why HTML Entities Are Necessary

HTML uses certain characters as part of its syntax. The less-than sign < opens HTML tags. The greater-than sign > closes them. The ampersand & starts entity references. If you want to display these characters as literal text in a web page rather than having the browser interpret them as HTML syntax, you must use their entity equivalents. Writing

in your HTML source creates an actual div element. Writing <div> displays the text literally as angle brackets and the word div.

 

The Most Important HTML Entities

The entities you will use most frequently are the following. The less-than sign < is encoded as < or <. The greater-than sign > is encoded as > or >. The ampersand & is encoded as & or &. The double quote " is encoded as " or ". The single quote or apostrophe is encoded as ' or '. The non-breaking space is encoded as   — this creates a space that prevents line breaking between words. The copyright symbol © is encoded as ©. The trademark symbol ™ is encoded as ™. The registered trademark symbol ® is encoded as ®.

When to Use HTML Encoding

HTML encoding is required in several specific situations. When displaying user-generated content — comments, form submissions, or any text entered by users — always HTML encode before rendering to prevent cross-site scripting (XSS) attacks. When displaying code examples on a web page, HTML encode all angle brackets so code is displayed as text rather than parsed as HTML. When including special characters in HTML attributes, encode any characters that could break the attribute parsing. In XML documents, which share many of the same reserved characters as HTML, encoding is mandatory for the five predefined entities.

HTML Encoding and XSS Security

Cross-site scripting (XSS) is one of the most common web application security vulnerabilities. It occurs when user-supplied input is rendered in a web page without proper encoding, allowing attackers to inject malicious JavaScript. For example, if a comment form accepts the text and renders it without encoding, the browser executes the script. Properly encoding user input to <script>alert('hacked')</script> makes the browser display it as harmless text. All major web frameworks provide automatic HTML escaping functions — always use them for user-supplied content.

How to Use Our Free HTML Entity Encoder

Our free HTML entity encoder and decoder at cookiescursor.com converts text between HTML entities and readable characters in real time. Switch between Encode and Decode mode, paste your text, and the output updates instantly as you type. A reference table below the tool shows the most common HTML entities for quick reference. Copy the output with one click. No signup required.

Frequently Asked Questions

Should I always HTML encode user input?
Yes. Any user-supplied content that is rendered in a web page should be HTML encoded to prevent XSS attacks. This is one of the most fundamental web security practices.

What is the difference between HTML encoding and URL encoding?
HTML encoding converts characters to HTML entities for safe display in web pages. URL encoding (percent-encoding) converts characters to %XX format for safe inclusion in URLs. They are different systems for different contexts.

Do I need to encode spaces in HTML?
Regular spaces in HTML text content do not need encoding. However, multiple consecutive spaces are collapsed to a single space in HTML. Use   when you need a non-breaking space or want to preserve multiple spaces.

What does &amp; mean?
& is the HTML entity for the ampersand character itself. It appears when encoded text is encoded a second time — for example, in documentation showing entity codes.

Are HTML entities case sensitive?
Named entities are case-sensitive — < is not the same as <. Use the correct case as specified in the HTML specification. Numeric entities are not case-sensitive.

When should I use named vs numeric entities?
Named entities (<, &) are more readable and easier to remember. Numeric entities (<, &) work everywhere including XML documents that do not predefine named entities. For the core five XML entities, either form works.

Encode Your HTML Now

Use our free HTML entity encoder for instant real-time conversion. No signup required.