Convert special characters to HTML entities to prevent XSS vulnerabilities, or decode entities back to readable text. All processing is in-browser.
| Character | Named Entity | Numeric Entity | Description |
|---|---|---|---|
| & | & | & | Ampersand — must always be escaped in HTML attributes and text |
| < | < | < | Less-than — marks start of HTML tags; must be escaped in text content |
| > | > | > | Greater-than — marks end of HTML tags |
| " | " | " | Double quote — must be escaped inside double-quoted HTML attributes |
| ' | ' | ' | Single quote — escape inside single-quoted attributes |
| |   | Non-breaking space — prevents line breaks between words | |
| © | © | © | Copyright symbol |
| ® | ® | ® | Registered trademark |
| ™ | ™ | ™ | Trademark symbol |
| € | € | € | Euro sign |
| £ | £ | £ | Pound sterling |
| ¥ | ¥ | ¥ | Japanese yen |
| — | — | — | Em dash |
| – | – | – | En dash |
| … | … | … | Horizontal ellipsis |
| « | « | « | Left-pointing double angle quotation mark |
| » | » | » | Right-pointing double angle quotation mark |
| ÷ | ÷ | ÷ | Division sign |
| × | × | × | Multiplication sign |
| ° | ° | ° | Degree sign |
An HTML entity is a string that begins with an ampersand (&) and ends with a semicolon (;), representing a character that either has special meaning in HTML syntax or cannot be reliably typed in plain text. There are two forms: named entities (e.g. & for &) and numeric entities, which can be decimal (e.g. &) or hexadecimal (e.g. &).
Cross-Site Scripting (XSS) is the number one web application vulnerability (OWASP Top 10 A03). It occurs when an attacker injects HTML or JavaScript into a page that is then rendered by other users' browsers. The primary defence is output encoding: convert characters with HTML meaning (< > & " ') into their entity equivalents before inserting user-controlled content into the HTML output. A string like <script>alert(1)</script> becomes harmless once encoded as <script>alert(1)</script> — the browser renders it as text, not as a script tag.
to prevent line breaks between elements that should remain on the same line (e.g. a number and its unit: "100 km").©), registered trademark ® (®), em dash — (—), and math symbols that may not be typeable on all keyboards.PHP provides htmlspecialchars() which encodes the five critical characters (& " ' < >) and is the correct function for XSS prevention. Use htmlentities() to encode all applicable characters to named entities. Always pass ENT_QUOTES | ENT_HTML5 as the flags and specify the charset: htmlspecialchars($str, ENT_QUOTES | ENT_HTML5, 'UTF-8'). After encoding entities, use our free html editor online to preview how the encoded HTML renders in a browser. For encoding special characters in URL query strings rather than in HTML, use our URL encoder.
The ampersand (& → &) must always be encoded first, because it is the delimiter character for all other entities. If you encode other characters before the ampersand, you will double-encode them. The five critical entities for XSS prevention are: & < > " '.
htmlspecialchars() encodes only the five characters that have special HTML meaning: &, ", ', <, >. htmlentities() encodes all applicable characters to their named HTML entity equivalents (e.g. accented characters like é become é). For XSS prevention, htmlspecialchars() is sufficient and preferred because over-encoding can corrupt multi-byte UTF-8 content.
When setting content with element.textContent, the browser automatically treats the string as plain text — no encoding needed. When using element.innerHTML, you must encode any user-controlled content before assignment, or use DOMPurify to sanitize it. Avoid innerHTML for user content when possible; prefer textContent or createElement().
A non-breaking space (Unicode U+00A0) is a space character that prevents automatic line breaks at its position. Use it between a number and its unit (e.g. 100 km), between a title and a name (e.g. Dr. Smith), or to prevent orphaned single words at the end of a paragraph. Do not use for layout spacing — use CSS margin and padding instead.