Skip to main content
CheckTown
Converters

HTML Entity Encoding: Prevent XSS and Display Special Characters

Published 5 min read
In this article

What Are HTML Entities?

HTML entities are special codes that represent characters which either have a special meaning in HTML or cannot be typed directly. For example, < is the HTML entity for the < character (less-than sign), which would otherwise be interpreted as the start of an HTML tag.

Entities can be named (&lt;, &amp;, &copy;) or numeric (&#60;, &#38;). Named entities are more readable; numeric entities work for any Unicode character even without a specific named entity.

How HTML Entity Encoding Works

The encoder scans text for characters that need escaping and replaces them with their entity equivalents.

  • Critical escaping — < > & " ' are always escaped to prevent HTML injection and XSS
  • Extended escaping — optionally encode all non-ASCII characters as numeric entities
  • Decode mode — converts entity-encoded HTML back to plain text for inspection

Try it free — no signup required

Encode HTML Entities →

When To Use HTML Entity Encoding

HTML entity encoding is critical for security and for displaying special characters in web pages.

  • User content display — always encode user-generated content before rendering in HTML to prevent XSS attacks
  • Email templates — encode special characters in HTML email templates to ensure correct rendering
  • Documentation — escape code examples in HTML documentation so angle brackets display correctly

Frequently Asked Questions

What is XSS and how does entity encoding prevent it?

Cross-Site Scripting (XSS) is an attack where malicious scripts are injected into web pages viewed by other users. If a user submits <script>alert('xss')</script> and it is rendered as HTML, the script executes. Entity encoding converts < to &lt; making it render as text, preventing script execution.

When should I use &amp; versus & in HTML?

In HTML attributes and content, & must be encoded as &amp; whenever it is not part of an HTML entity. Unencoded & in HTML is a parsing error. In URLs within href attributes, & must also be encoded as &amp; to be valid HTML (though browsers are forgiving).

Does HTML entity encoding protect against SQL injection?

No. HTML entity encoding only protects against HTML injection (XSS). For SQL injection prevention, use parameterized queries or prepared statements in your database layer. These are separate attack vectors requiring different defenses — never rely on HTML encoding to prevent SQL injection.

Related Tools

URL Encoding & Decoding: Make URLs Web-Safe InstantlySpecial characters break URLs. Learn how percent-encoding works and when to encode or decode your strings.Read article → Base64 Encoding & Decoding: A Developer's Complete GuideBase64 is everywhere in web development. Learn how it works, when to use it, and common pitfalls.Read article → Case Converter: camelCase, snake_case, PascalCase and MoreDifferent coding conventions use different case styles. Learn all the formats and convert between them instantly.Read article →
Back to Blog