# What are HTML Entities?

> HTML entities are special character sequences that represent reserved or invisible characters in HTML, using named references like & or numeric codes like &.

- URL: https://www.browserutils.dev/glossary/html-entities
- Published: 2026-03-21
- Updated: 2026-03-16

---

**HTML entities** are special character sequences that represent reserved or invisible characters in HTML, using named references (like `&`) or numeric codes (like `&`). They ensure that characters with special meaning in HTML syntax are displayed correctly in the browser.

## Why entities exist

HTML uses `<`, `>`, `&`, and `"` as part of its syntax. If you want to display a literal `<` character on a page without the browser interpreting it as a tag, you need to encode it as `&lt;`. Without entities, `<script>` in your content would be parsed as an actual script tag.

The five essential entities every developer should know:

| Character | Entity | Numeric |
|-----------|--------|---------|
| `<` | `&lt;` | `&#60;` |
| `>` | `&gt;` | `&#62;` |
| `&` | `&amp;` | `&#38;` |
| `"` | `&quot;` | `&#34;` |
| `'` | `&apos;` | `&#39;` |

## Named vs. numeric entities

Named entities are readable (`&copy;` for ©, `&mdash;` for —) but limited to a predefined set. Numeric entities can represent any Unicode code point: `&#x1F600;` renders as the grinning face emoji. The `&#x` prefix indicates hexadecimal; `&#` without the `x` uses decimal.

```html
<!-- Named -->
<p>&copy; 2026 &mdash; All rights reserved</p>

<!-- Numeric (hex) -->
<p>&#x00A9; 2026 &#x2014; All rights reserved</p>
```

## When to use entities

- **Always** encode `<`, `>`, `&` in text content and attribute values to prevent XSS vulnerabilities and parsing errors
- **In attributes**: Double quotes inside `href` or `title` attributes need `&quot;`
- **Special characters**: Non-breaking spaces (`&nbsp;`), em dashes (`&mdash;`), arrows, math symbols
- **Legacy encoding**: When your document encoding doesn't support certain characters

Modern HTML5 with UTF-8 encoding means you can type most characters (©, é, —) directly. Entities are mainly needed for the five reserved characters and for characters that are hard to type or invisible.

## Security implications

Failing to encode user input as HTML entities is the root cause of cross-site scripting (XSS) attacks. If user-supplied text containing `<script>alert('xss')</script>` is inserted into a page without encoding, the browser executes it. Always encode output — every template engine does this by default for good reason.

Encode and decode HTML entities with the [HTML Encoder/Decoder](/tools/html-encode-decode) or browse the full list with the [HTML Entities Reference](/tools/html-entities-reference).