HTML encoding converts special characters into their HTML entity equivalents so they display as visible text rather than being interpreted as markup by the browser.
Without encoding, <script>alert('xss')</script> inserted into a page would execute as JavaScript. With encoding, it displays as harmless text.
When you need HTML encoding
Displaying user-generated content
Any user-generated content displayed in HTML must be encoded before output. This is the primary defense against Cross-Site Scripting (XSS) attacks — one of the most common web security vulnerabilities.
Displaying code in web pages
When writing tutorials, documentation, or blog posts that show HTML or code examples, you need to encode angle brackets and other characters so they display as text rather than being parsed as markup.
Email templates
HTML emails often contain content that must be encoded to display correctly across all email clients, which have inconsistent HTML parsers.
The most important HTML entities
| Character | Entity name | Entity number | Use case |
|---|---|---|---|
< |
< |
< |
Less-than, HTML tag start |
> |
> |
> |
Greater-than, HTML tag end |
& |
& |
& |
Ampersand (encode first!) |
" |
" |
" |
Double quote in attributes |
' |
' |
' |
Single quote in attributes |
|
|
  |
Non-breaking space |
© |
© |
© |
Copyright symbol |
® |
® |
® |
Registered trademark |
™ |
™ |
™ |
Trademark symbol |
€ |
€ |
€ |
Euro sign |
£ |
£ |
£ |
Pound sign |
— |
— |
— |
Em dash |
– |
– |
– |
En dash |
Encoding order matters
Always encode & before other characters. If you encode < first and get <, then encode &, you'd get &lt; — double-encoding the entity itself.
Correct order: & → < → > → " → '
HTML encoding vs URL encoding
These are different things often confused:
- HTML encoding: For inserting text into HTML pages (
<>&) - URL encoding: For inserting data into URLs (
%3C%3E%26) - JavaScript encoding: For inserting data into JS strings (
\u003C)
Use the right encoding for the right context — mixing them up creates security vulnerabilities.
When NOT to encode
Not all contexts require HTML encoding:
- CSS property values (use different escaping)
- JavaScript string values (use JS escaping)
- JSON values (use JSON escaping)
- URLs (use percent-encoding)
Only HTML-encode content that will be inserted directly into HTML text content or attribute values.
How to encode and decode HTML free
- Go to HTML Encoder / Decoder
- Paste your text or HTML in the input
- Click Encode to convert special characters to entities
- Click Decode to convert entities back to characters
- Copy the result
All processing happens in your browser with no server involved.