🛠️Dev Toolbox

🌐 HTML Entity Encoder

Encode special characters into HTML entities and decode entities back to characters.

Three reasons you're here: you're about to inject user content into HTML, you're debugging why a literal "©" string is showing up in your rendered page, or you're copying emoji into an email template and Outlook just rendered a box. All three are HTML entity territory.

If you write web apps and you're not encoding user-generated content before rendering it, you have an XSS vulnerability right now. I don't care if your framework "auto-escapes" — verify. React escapes JSX interpolation by default. Vue does too. Angular, Svelte, all of them. But raw innerHTML, v-html, dangerouslySetInnerHTML, or template tags that disable auto-escaping — that's where the danger is. Encode < to &lt;, > to &gt;, & to &amp;, " to &quot;. Every time, user-influenced content, no exceptions.

Named entities are nicer to read: &copy;, &reg;, &trade;, &mdash;. Dreamweaver-era code is full of them. But numeric entities are bulletproof: &#169; (decimal) or &#xA9; (hex). The character has to be in the document's charset or you get a replacement character — and "charset" is the operative word. A UTF-8 document and a Latin-1 document will decode the same &#169; correctly (numeric entities are Unicode code points, not bytes), but a named entity's rendered output depends on whether the browser's entity table maps it. Numeric is safer, just uglier.

Email is its own nightmare. Outlook doesn't use a browser engine, it uses Word's rendering. That means tons of CSS features don't exist, and character encoding is a coin flip. Use &#169; for the copyright sign in email, not the raw character, not &copy;. If the charset declaration is missing, the raw byte might render as something sensible in one client and mojibake in another.

Don't encode inside <script> or <style> tags. The browser doesn't decode entities there — it treats them as raw text. If you need string escaping in JavaScript, use JS escaping (backslash-n, backslash-t, the actual copyright char), not HTML entities.

The reference list here has all 2520+ named entities. Most you'll never use. The five you need daily are &lt;, &gt;, &amp;, &quot;, &apos;. Bookmark those five and encode by habit, not by memory.

Modern HTML5 with explicit UTF-8 in the <meta> tag lets you write most characters directly — Japanese, emoji, accented Latin. That's fine. You still need to encode the five structural characters (<, >, &, ", ') as content, no matter what UTF-8 gets you. Encoding doesn't replace input validation; it's a rendering-time safety net. Validate the input, then encode at the boundary.

More Developer Tools

Explore our complete collection of 60+ free developer tools at dev.aisoosoo.com. All tools run 100% in your browser — no signup, no data sent to servers.