Three reasons you're here: you're about to inject user content into HTML, you're debugging why a literal "©" string is showing up in your rendered page, or you're copying emoji into an email template and Outlook just rendered a box. All three are HTML entity territory.
If you write web apps and you're not encoding user-generated content before rendering it, you have an XSS vulnerability right now. I don't care if your framework "auto-escapes" — verify. React escapes JSX interpolation by default. Vue does too. Angular, Svelte, all of them. But raw innerHTML, v-html, dangerouslySetInnerHTML, or template tags that disable auto-escaping — that's where the danger is. Encode < to <, > to >, & to &, " to ". Every time, user-influenced content, no exceptions.
Named entities are nicer to read: ©, ®, ™, —. Dreamweaver-era code is full of them. But numeric entities are bulletproof: © (decimal) or © (hex). The character has to be in the document's charset or you get a replacement character — and "charset" is the operative word. A UTF-8 document and a Latin-1 document will decode the same © correctly (numeric entities are Unicode code points, not bytes), but a named entity's rendered output depends on whether the browser's entity table maps it. Numeric is safer, just uglier.
Email is its own nightmare. Outlook doesn't use a browser engine, it uses Word's rendering. That means tons of CSS features don't exist, and character encoding is a coin flip. Use © for the copyright sign in email, not the raw character, not ©. If the charset declaration is missing, the raw byte might render as something sensible in one client and mojibake in another.
Don't encode inside <script> or <style> tags. The browser doesn't decode entities there — it treats them as raw text. If you need string escaping in JavaScript, use JS escaping (backslash-n, backslash-t, the actual copyright char), not HTML entities.
The reference list here has all 2520+ named entities. Most you'll never use. The five you need daily are <, >, &, ", '. Bookmark those five and encode by habit, not by memory.
Modern HTML5 with explicit UTF-8 in the <meta> tag lets you write most characters directly — Japanese, emoji, accented Latin. That's fine. You still need to encode the five structural characters (<, >, &, ", ') as content, no matter what UTF-8 gets you. Encoding doesn't replace input validation; it's a rendering-time safety net. Validate the input, then encode at the boundary.