HTML Entity Encoder

Convert Special Characters to HTML Entities Safely

HTML entities are escape sequences that represent characters which would otherwise be interpreted as HTML markup or cause rendering problems. When you need to display a less-than sign (`<`) in a web page's text content without the browser treating it as an opening HTML tag, you write `<` instead. When you need an ampersand, you write `&`. These entity references tell the browser to display the literal character rather than parsing it as syntax.

Our free HTML entity encoder converts any text containing special characters to its properly escaped HTML equivalent. Paste your text, click Encode, and every character that needs escaping is converted to its safe HTML entity form—ready to embed in HTML source code, email templates, CMS content fields, or any other context where raw characters could cause display or security issues.

The Five Critical Characters You Must Always Encode

Five characters have special meaning in HTML syntax and must always be encoded when they appear as literal text content rather than as HTML structure.

< (less-than) → <: Opens HTML tags. Unencoded less-than signs in text content cause the browser to attempt tag parsing, breaking the page structure when the expected closing `>` doesn't follow.

> (greater-than) → >: Closes HTML tags. While browsers are generally more forgiving about unencoded greater-than signs in text content, proper encoding prevents any ambiguity.

& (ampersand) → &: Begins HTML entity sequences. An unencoded ampersand that isn't followed by a valid entity name and semicolon causes invalid HTML and may display as a literal ampersand or as a parsing error depending on the browser.

" (double quote) → ": Terminates attribute values in double-quoted attributes. Critical when embedding user-generated content inside HTML attribute values—an unencoded double quote could close the attribute early and inject additional HTML attributes.

' (single quote) → ' or ': Terminates attribute values in single-quoted attributes. Necessary when embedding text in single-quoted attribute values.

HTML Encoding and XSS Prevention

Cross-Site Scripting (XSS) is one of the most common and impactful web application security vulnerabilities. It occurs when user-supplied or externally sourced text is embedded in an HTML page without proper encoding, allowing an attacker to inject executable JavaScript code into the page. If a user enters `` in a form field and that value is displayed back in the page without encoding, the browser executes the script as JavaScript.

Proper HTML entity encoding prevents this by converting the `<` and `>` characters to `<` and `>`, ensuring the browser treats the entire string as text content to display rather than as HTML markup to parse and execute. The OWASP (Open Web Application Security Project) lists HTML encoding of untrusted data as one of the primary defenses against XSS attacks.

Most modern web frameworks apply HTML encoding automatically when outputting template variables to HTML contexts—React, Vue, Angular, and Django all escape HTML by default. The risk arises when using raw/unescaped output methods (`dangerouslySetInnerHTML` in React, `| safe` in Jinja, `html_safe` in Rails) without explicitly verifying that the content is trusted. Our encoder is useful for manually escaping content before it enters these unescaped contexts.

Named Entities for Typographic and Special Characters

Beyond the five critical security characters, HTML entities are commonly used to represent typographic symbols, mathematical characters, currency symbols, and international characters that may not display reliably across all character sets or may be difficult to type directly.

Common typographic entities include ` ` (non-breaking space), `—` (—, em dash), `–` (–, en dash), `“` (", left double quote), `”` (", right double quote), `©` (©, copyright), `®` (®, registered trademark), and `™` (™, trademark). Mathematical entities include `×` (×, multiplication sign), `÷` (÷, division sign), `≤` (≤), `≥` (≥), and `≠` (≠). Currency symbols include `€` (€), `£` (£), and `¥` (¥).

Free, Private, and Instant

The HTML entity encoder runs entirely in your browser. No text you enter is transmitted to any server or stored anywhere. The tool is completely free with no account required and works on any device with a modern browser.