utilAZ Logo

HTML Entities Encoder/Decoder

Encode and decode HTML entities for safe text display in web pages and prevent XSS attacks

Text to Encode

Characters: 0 | Bytes: 0

XSS Prevention

< >: Prevent script injection
&: Avoid entity confusion
" ': Secure attribute values
Always encode: User input content
Context matters: HTML vs attributes

Named Entities

Readable: &copy; vs ©
Standard: HTML5 specification
Limited: ~2000 predefined entities
Best for: Common symbols
Fallback: Use numeric for others

Numeric Entities

Universal: Any Unicode character
Decimal: € (Euro symbol)
Hex: € (Euro symbol)
Range: 0 to 1,114,111 (Unicode)
Use when: No named equivalent

About HTML Entity Encoding

HTML entity encoding converts special characters into safe representations that browsers can display correctly without interpreting them as HTML markup. This is essential for displaying user content, preventing XSS attacks, and ensuring proper rendering of international characters and symbols in web pages.

  • Named entities: Convert characters to readable names like &lt; &gt;
  • Numeric entities: Use decimal codes like &#60; &#62;
  • Hexadecimal entities: Use hex codes like &#x3C; &#x3E;
  • Unicode support: Handle international characters safely
  • XSS prevention: Sanitize user input for web display

HTML Entity Types

Common Named Entities

  • &amp; → & (Ampersand)
  • &lt; → < (Less than)
  • &gt; → > (Greater than)
  • &quot; → " (Quotation mark)
  • &apos; → ' (Apostrophe)
  • &nbsp; → Non-breaking space

Numeric Representations

  • &#38; → & (Decimal)
  • &#60; → < (Decimal)
  • &#62; → > (Decimal)
  • &#x26; → & (Hexadecimal)
  • &#x3C; → < (Hexadecimal)
  • &#x3E; → > (Hexadecimal)

Frequently Asked Questions

How to encode html entities online?

To encode HTML entities online, paste your text into an HTML entity encoder tool like utilAZ and select your encoding mode (named, numeric, or hexadecimal). The tool instantly converts special characters such as <, >, &, and quotes into their safe HTML entity equivalents. This process ensures your content displays correctly in browsers without being interpreted as markup.

What is html entity encoding used for?

HTML entity encoding is used to convert special characters into safe representations that browsers render as text instead of interpreting as HTML markup. It plays a critical role in preventing XSS (Cross-Site Scripting) attacks by sanitizing user input before display. Developers also use it to show code snippets on web pages and handle international characters safely. utilAZ provides a free online encoder that supports named, numeric, and hexadecimal entity formats.

Difference between encode and escape html?

Encoding HTML converts characters into entity references like < and & so they display safely in web pages. Escaping HTML is a broader term that refers to making any potentially dangerous characters safe for a given context, including attributes and JavaScript. In practice, both terms are often used interchangeably for web security purposes. utilAZ handles both encoding and escaping to protect your content from injection attacks.

How to decode html entities in javascript?

In JavaScript, you can decode HTML entities by using the DOMParser API or by creating a temporary DOM element and reading its textContent property. For server-side environments like Node.js, libraries such as he or html-entities provide reliable decoding functions. utilAZ also offers a free online HTML entity decoder that works instantly in your browser without installing any packages.

HTML Entity Examples

Common Character Encodings:

Basic HTML Characters:
Input: <script>alert('XSS')</script>
Encoded: &lt;script&gt;alert('XSS')&lt;/script&gt;
Display: <script>alert('XSS')</script>
Special Symbols:
© → &copy; or &#169;
® → &reg; or &#174;
™ → &trade; or &#8482;
€ → &euro; or &#8364;
£ → &pound; or &#163;
← → &larr; or &#8592;
→ → &rarr; or &#8594;
↑ → &uarr; or &#8593;
↓ → &darr; or &#8595;
♥ → &hearts; or &#9829;
Mathematical Symbols:
± → &plusmn; or &#177;
× → &times; or &#215;
÷ → &divide; or &#247;
≠ → &ne; or &#8800;
≤ → &le; or &#8804;
≥ → &ge; or &#8805;
∞ → &infin; or &#8734;
∑ → &sum; or &#8721;
√ → &radic; or &#8730;
π → &pi; or &#960;
Accented Characters:
á → &aacute; or &#225;
é → &eacute; or &#233;
í → &iacute; or &#237;
ó → &oacute; or &#243;
ú → &uacute; or &#250;
ñ → &ntilde; or &#241;
ç → &ccedil; or &#231;
ü → &uuml; or &#252;
ß → &szlig; or &#223;
æ → &aelig; or &#230;

Security and XSS Prevention

XSS Attack Prevention:

Risk: <script>malicious code</script>
Safe: &lt;script&gt;malicious code&lt;/script&gt;
✓ Always encode: User input before display
✓ Validate context: HTML content vs attributes
✓ Use libraries: Trusted encoding functions
✓ Content Security Policy: Additional protection layer

Context-Specific Encoding:

HTML Content: Encode < > &
HTML Attributes: Also encode quotes
JavaScript: Use JSON.stringify()
CSS: Use CSS.escape() or hex
URLs: Use encodeURIComponent()
SQL: Use parameterized queries

Essential Character Reference

HTML Reserved:

& → &amp;
< → &lt;
> → &gt;
" → &quot;
' → &apos;

Typography:

- → &mdash;
– → &ndash;
" → &ldquo;
" → &rdquo;
… → &hellip;

Spaces:

→ &nbsp;
→ &ensp;
→ &emsp;
→ &thinsp;
​ → &zwsp;

Common Use Cases

  • Displaying user-generated content safely
  • Showing HTML code examples in tutorials
  • Preventing XSS attacks in web applications
  • Handling international text with special characters
  • Processing form data before database storage
  • Email template content sanitization
  • RSS/XML feed content preparation
  • SEO-friendly URL parameter encoding