browserutils
← All terms

// glossary

What are HTML Entities?

HTML entities are special character sequences that represent reserved or invisible characters in HTML, using named references like & or numeric codes like &.

HTML entities are special character sequences that represent reserved or invisible characters in HTML, using named references (like &) or numeric codes (like &). They ensure that characters with special meaning in HTML syntax are displayed correctly in the browser.

Why entities exist

HTML uses <, >, &, and " as part of its syntax. If you want to display a literal < character on a page without the browser interpreting it as a tag, you need to encode it as &lt;. Without entities, <script> in your content would be parsed as an actual script tag.

The five essential entities every developer should know:

CharacterEntityNumeric
<&lt;&#60;
>&gt;&#62;
&&amp;&#38;
"&quot;&#34;
'&apos;&#39;

Named vs. numeric entities

Named entities are readable (&copy; for ©, &mdash; for —) but limited to a predefined set. Numeric entities can represent any Unicode code point: &#x1F600; renders as the grinning face emoji. The &#x prefix indicates hexadecimal; &# without the x uses decimal.

<!-- Named -->
<p>&copy; 2026 &mdash; All rights reserved</p>

<!-- Numeric (hex) -->
<p>&#x00A9; 2026 &#x2014; All rights reserved</p>

When to use entities

  • Always encode <, >, & in text content and attribute values to prevent XSS vulnerabilities and parsing errors
  • In attributes: Double quotes inside href or title attributes need &quot;
  • Special characters: Non-breaking spaces (&nbsp;), em dashes (&mdash;), arrows, math symbols
  • Legacy encoding: When your document encoding doesn’t support certain characters

Modern HTML5 with UTF-8 encoding means you can type most characters (©, é, —) directly. Entities are mainly needed for the five reserved characters and for characters that are hard to type or invisible.

Security implications

Failing to encode user input as HTML entities is the root cause of cross-site scripting (XSS) attacks. If user-supplied text containing <script>alert('xss')</script> is inserted into a page without encoding, the browser executes it. Always encode output — every template engine does this by default for good reason.

Encode and decode HTML entities with the HTML Encoder/Decoder or browse the full list with the HTML Entities Reference.

#Related Tools

HTML Entity Encoder / Decoder
Encode and decode HTML entities
HTML Entities Reference
Searchable HTML entities table
HTML Formatter
Beautify and indent HTML code

#Related Terms

What is URL Encoding?
URL encoding (percent-encoding) is a mechanism for encoding special characters in URLs by replacing them with a percent sign followed by their hexadecimal ASCII value.
What is UTF-8?
UTF-8 is a variable-width character encoding that can represent every Unicode code point, using one to four bytes per character, and is the dominant encoding on the web.
What is XML?
XML (Extensible Markup Language) is a markup language that defines rules for encoding structured documents using nested tags, attributes, and text content.
What is ASCII?
ASCII (American Standard Code for Information Interchange) is a 7-bit character encoding standard that maps 128 characters — including English letters, digits, punctuation, and control codes — to numeric values.

#Learn More

Glossary
What is HTML Entities?
Glossary
What is URL Encoding?
Glossary
What is XPath?
Cheatsheet
HTML Entities Cheatsheet — Symbols, Math, Arrows & More