HTML Entity Encoder — Encode and Decode HTML Special Characters
Convert special characters to HTML entities and decode entities back to characters. Essential for safe HTML output and preventing XSS vulnerabilities.
HTML has a handful of characters with special meaning — <, >, &, ", '. When these appear in content that's being rendered as HTML, they need to be escaped as entities or they'll be interpreted as markup. This is both a display concern (your <3 emoji becoming a broken tag) and a security concern (unescaped user input is a classic XSS attack vector). The CalcHub HTML Entity Encoder handles both encoding and decoding.
The Core Entities
| Character | HTML Entity | Named |
|---|---|---|
| & | & | Ampersand |
| < | < | Less than |
| > | > | Greater than |
| " | " | Double quote |
| ' | ' | Apostrophe |
| Space (non-breaking) | | Non-breaking space |
| © | © | Copyright |
| ® | ® | Registered trademark |
| ™ | ™ | Trademark |
| € | € | Euro sign |
| £ | £ | Pound sign |
| — | — | Em dash |
| – | – | En dash |
How to Use the Encoder
Encoding (characters → entities):- Open CalcHub and go to HTML Entity Encoder.
- Paste text containing special characters.
- Choose encoding scope:
&, <, >, ", ' (minimum for security)
- Extended ASCII: Also encode characters above 127 as numeric entities
- All non-ASCII: Encode every character outside basic ASCII
- Copy the encoded output.
- Switch to Decode mode.
- Paste HTML with entities.
- The readable text appears.
Essential vs. Full Encoding
For most web use cases, encoding just the five dangerous characters (&, <, >, ", ') is sufficient and keeps output readable. Full encoding replaces every character above ASCII 127 with a numeric entity like é for "é", which is unnecessary bloat unless you're working with email clients or very old systems that don't reliably handle UTF-8.
Security Context
HTML entity encoding is your first line of defense against Cross-Site Scripting (XSS):
User input: <script>alert('XSS')</script>
Encoded: <script>alert('XSS')</script>
Rendered: <script>alert('XSS')</script> (displayed as text, not executed)Encoding user input before inserting it into HTML prevents injected scripts from running.
What's the difference between named and numeric entities?
Named entities like & are human-readable and widely supported. Numeric entities use the Unicode code point: & (decimal) or & (hex) both represent &. Named entities only exist for a subset of characters; numeric entities work for every Unicode character.
Does HTML entity encoding prevent all XSS?
It prevents most reflected and stored XSS when applied correctly in HTML contexts. It's NOT sufficient in all contexts — JavaScript strings, CSS values, and URL attributes each require different escaping strategies. Never rely on a single encoding for all output contexts.
Should I encode apostrophes in HTML attributes?
Yes, when the attribute is delimited by single quotes: value='it's'. If the attribute uses double quotes, apostrophes don't need encoding: value="it's". The encoder handles this automatically based on the attribute context option.
Related tools: HTML Tag Stripper · URL Encoder Decoder · Markdown to HTML Converter