HTML Entity Encoder
Convert special characters to HTML entities for safe use in HTML markup. Runs entirely in your browser.
What is HTML Entity Encoding?
HTML entity encoding replaces characters that carry special meaning in HTML markup with their safe entity equivalents. The five characters that must always be encoded are: < (becomes <), > (becomes >), & (becomes &), " (becomes "), and ' (becomes '). When a browser encounters these entity references in HTML, it displays the original character rather than interpreting it as markup.
Why HTML entity encoding matters for security
Cross-Site Scripting (XSS) is one of the most common web vulnerabilities and occurs when untrusted user input is rendered directly in HTML without encoding. If a user submits <script>alert(1)</script> and your application renders it as raw HTML, the browser executes the script. HTML entity encoding prevents this by converting the angle brackets to <script>, which the browser displays as literal text. OWASP lists output encoding as the primary defence against reflected and stored XSS.
The five reserved HTML characters
| Character | Entity | Why it needs encoding |
|---|---|---|
| < | < | Opens an HTML tag — would start a tag if unencoded |
| > | > | Closes an HTML tag |
| & | & | Starts an entity reference — must be encoded first |
| " | " | Closes double-quoted attribute values |
| ' | ' | Closes single-quoted attribute values |
Named entities vs numeric entities
HTML supports three types of entity references. Named entities use a human-readable name: © for ©, for a non-breaking space. Decimal numeric entities reference the Unicode code point as a decimal number: © for ©. Hex numeric entities use a hexadecimal code point: © for ©. All three forms are valid HTML5. Named entities are more readable; numeric entities work for any Unicode character, even ones without a named entity.
When to use HTML entity encoding
- Rendering user input in HTML — any text from a form, API, database, or URL parameter must be entity-encoded before being inserted into HTML.
- Template engines — most modern frameworks (React, Vue, Angular, Jinja2, Handlebars) auto-escape output by default. Disable auto-escaping only when you explicitly trust the content.
- Email HTML — HTML email clients have varied parser behaviour; encoding reserved characters prevents display issues across clients.
- CMS and rich-text editors — content stored in a CMS may already be encoded; double-encoding breaks display. Check what your storage layer does first.
Frequently asked questions
Does HTML entity encoding protect against all XSS?
Entity encoding prevents HTML-context XSS but not all injection types. If user input is placed inside a <script> block, a JavaScript event handler attribute, a CSS style, or a URL attribute value (href, src), different encoding rules apply. Context-specific escaping is required for each injection context.
Should I encode all non-ASCII characters?
Not necessarily. HTML5 documents declared as UTF-8 can include Unicode characters directly. You only need to encode characters that have special HTML meaning (the five reserved characters above) or characters your character encoding cannot represent. Encoding all non-ASCII as numeric entities makes source code harder to read without improving security.
If jsondecode.com saved you time, share it with your team
Free forever. No ads. No sign-up. Help other developers find it.