What is HTML encoding?

HTML encoding converts characters that have special meaning in HTML into their safe entity equivalents. For example, < becomes < and & becomes &. This is required to prevent browsers from interpreting user content as HTML markup, to prevent XSS (Cross-Site Scripting) attacks, and to display characters correctly in all browsers and email clients.

What is the difference between HTML encoding and URL encoding?

HTML encoding converts characters to HTML entities (< &) for use inside HTML documents. URL encoding (percent-encoding) converts characters to %XX format for use in URLs. Both may be needed together: a URL inside an HTML attribute should be URL-encoded first, then the result HTML-encoded into the attribute value.

Which HTML characters must always be encoded?

The five essential characters: & (ampersand → &), (greater-than → >), " (double quote → "), and ' (single quote → '). Always encode & first — encoding < before & causes double-encoding of the ampersand in <.

What is the difference between named, decimal, and hex HTML entities?

Named entities use human-readable names: © € —. Decimal entities use the Unicode code point as a base-10 number: © €. Hex entities use hexadecimal: © €. All three produce identical rendered output. Use named for readable source, decimal for maximum compatibility, hex for XML and technical contexts.

What is and when should I use it?

( ) is a non-breaking space. Unlike a regular space, it prevents line breaks between words and is not collapsed by HTML. Use it to prevent word wrapping (e.g., 10 km), add non-collapsible spacing in HTML, or ensure table cells have minimum content.

How do I HTML encode in PHP?

Use htmlspecialchars($str, ENT_QUOTES | ENT_HTML5, 'UTF-8') to encode the 5 essential characters including single quotes. Use htmlentities() to encode all named entities. Always pass ENT_QUOTES to encode both quote types, and specify the character encoding explicitly as 'UTF-8'.

How do I HTML encode in JavaScript?

JavaScript has no built-in HTML encoder. The standard DOM approach: create an element, set its textContent (which auto-escapes), then read innerHTML. For Node.js, use the 'he' npm package: he.encode(str) and he.decode(str). Avoid hand-rolling string.replace() chains — they miss edge cases.

How do I HTML encode in Python?

Use html.escape(str) from Python's built-in html module. It encodes & " and optionally ' (pass quote=True). To decode, use html.unescape(str). Both are available in the standard library — no external package needed.

Is stripping HTML tags safe for security sanitization?

No. Stripping tags (removing patterns) is useful for text extraction but is NOT reliable as a security sanitization strategy. Attackers can craft inputs that survive tag stripping. For security, use dedicated sanitization libraries: DOMPurify (JavaScript), Bleach (Python), HTMLPurifier (PHP), or html-sanitize (Go). These understand the full HTML parsing spec and handle edge cases.

What is attribute-safe HTML encoding?

Attribute-safe encoding encodes all characters that could break out of an HTML attribute context: both quote types, control characters, and non-ASCII. Use it when injecting dynamic values into HTML attributes in contexts where you cannot use a proper templating engine that handles escaping automatically.

What is the HTML entity for the copyright symbol?

The copyright symbol © can be encoded as: © (named entity), © (decimal), or © (hexadecimal). All three produce the same output: ©

What is the HTML entity for the euro sign?

The euro sign € can be encoded as: € (named entity), € (decimal), or € (hexadecimal). All three produce the same output: €

HTML Encoder / Decoder — Free HTML Entity Converter Online | ToolLance

Encoding Mode

Essential (XSS-safe)

Encodes only & < > " ' — minimum to prevent XSS. Equivalent to PHP htmlspecialchars()

< → < > → > & → & " → "

Named entities

Uses © € — where available, decimal for others

© → © € → € — → — π → π

Decimal numeric (&#N;)

Every char as &#decimal; — maximum compatibility with all browsers and email clients

A → A © → © < → < π → π

Hex numeric (&#xN;)

Every char as &#xHEX; — preferred in XML, CSS, and technical contexts

A → A © → © < → < π → π

Attribute-safe

Encodes all characters that could break HTML attributes, including control chars

" → " ' → ' / → / © → ©

Input — Raw HTML / Text

171 chars5 lines

Output — Encoded

&lt;div class=&quot;hero&quot;&gt;
  &lt;h1&gt;Hello, World! © 2024 — &quot;Quoted&quot; text&lt;/h1&gt;
  &lt;p&gt;Special chars: &amp; &lt; &gt; &quot; &apos; — ™ € £ ¥&lt;/p&gt;
  &lt;a href=&quot;/page?q=hello&amp;lang=en&quot;&gt;Link &amp;amp; More&lt;/a&gt;
&lt;/div&gt;

277 chars29 entities+106 vs input×1.62

Rendered Preview— how the browser renders the output HTML

⚡ Quick Reference — Common Entities (click named entity to copy)

&&&

<<<

>>>

"""

'''

©©©

®®®

™

™™™

€

€€€

£££

¥¥¥

—

———

–

–––

…

………

   

«««

»»»

×××

÷÷÷

±±±

∞

∞∞∞

≠

≠≠≠

≤

≤≤≤

≥

≥≥≥

🔍 Entity Analysis — 29 entities, 5 unique types found in output

<→<×9

>→>×9

"→"×7

&→&×3

'→'

HTML Encoder & Decoder

Free HTML Encoder & Decoder — All Modes, Instant Results

What This Tool Does

Frequently Asked Questions

What is HTML encoding and why is it needed?

What is the difference between HTML encoding and URL encoding?

Which characters must always be HTML encoded?

What is   and when do I use it?

How do I HTML encode in JavaScript?

What is the difference between named, decimal, and hex entities?

Is stripping HTML tags the same as sanitizing HTML?

Free HTML Encoder & Decoder — All Modes, Instant Results

What This Tool Does

Frequently Asked Questions

What is HTML encoding and why is it needed?

What is the difference between HTML encoding and URL encoding?

Which characters must always be HTML encoded?

What is &nbsp; and when do I use it?

How do I HTML encode in JavaScript?

What is the difference between named, decimal, and hex entities?

Is stripping HTML tags the same as sanitizing HTML?

What is and when do I use it?