HTML Encoder
Encode special characters to HTML entities for safe display in web pages.
Input Text
Encoded Output
HTML Entity Reference
&<>"' Security: HTML encoding prevents XSS (Cross-Site Scripting) attacks by converting potentially dangerous characters into their safe entity equivalents.
What Is HTML Encoding?
HTML encoding is the process of converting characters that carry special meaning in HTML markup into their corresponding HTML entity equivalents, so that browsers render them as literal text rather than interpreting them as markup instructions. When you write content that may include angle brackets, ampersands, quotation marks, or apostrophes, an HTML encoder transforms each of those reserved characters into a safe entity string that browsers display visually as the original character without triggering parser errors or security vulnerabilities.
The HTML specification reserves a small set of characters for structural purposes: < and > delimit tags, & begins entity references, and " and ' delimit attribute values. Inserting any of these characters directly into page content without encoding them can break the surrounding markup, cause text to disappear, or — far more seriously — allow injected scripts to execute in the reader's browser. HTML encoding is therefore both a display correctness measure and a core web security practice.
This free online HTML encoder tool supports three encoding modes to suit different use cases. The All Special Characters mode encodes the full set of five reserved characters. The Minimal mode encodes only the three characters essential for valid HTML structure. The Numeric Entities mode converts every reserved character plus every character with a Unicode code point above 127 into its decimal numeric entity, ensuring pure ASCII output that is safe for any legacy system or transmission channel.
HTML entities can take two forms: named entities such as & and <, which are human-readable and widely supported; and numeric entities such as & and <, which encode a character by its decimal Unicode code point. Both forms are understood by all modern browsers and produce identical rendered output.
Encoding Modes and How They Work
The HTML encoder on this page applies one of three encoding algorithms depending on the mode you select. Understanding each mode helps you choose the right level of encoding for your specific situation.
All Special Characters mode uses a replacement map of all five characters that are structurally significant in HTML and XML and replaces each occurrence with its named entity. The map is: & → &, < → <, > → >, " → ", and ' → '. The JavaScript regex /[&<>"']/g matches all five characters globally and each match is replaced via the map. This mode is appropriate for user-generated content, code snippets, or any text destined for an HTML attribute or body context where apostrophes and quotation marks could break surrounding quotes.
Minimal mode encodes only the three characters required for syntactically valid HTML: & → &, < → <, and > → >. The regex /[&<>]/g is used. Quotation marks and apostrophes are left as-is. This mode is suitable when the output will appear in HTML body text (not inside attribute values) and you know the surrounding context does not include attribute delimiters.
Numeric Entities mode iterates character by character using split('').map(). For each character it reads the Unicode code point with charCodeAt(0). If the code point is greater than 127 OR the character is one of the five reserved characters (&<>"'), it is replaced with &#NNN; where NNN is the decimal code point. All other ASCII characters (code points 0–127 that are not reserved) pass through unchanged. The resulting array is joined back into a string. This mode produces pure 7-bit ASCII output that can travel through any ASCII-only channel and is useful for internationalised content or legacy encoders that do not support named entities.
| Character | Named Entity | Numeric Entity | Mode(s) |
|---|---|---|---|
& |
& |
& |
All, Minimal, Numeric |
< |
< |
< |
All, Minimal, Numeric |
> |
> |
> |
All, Minimal, Numeric |
" |
" |
" |
All, Numeric |
' |
' |
' |
All, Numeric |
| chars > U+007F | — | &#NNN; |
Numeric only |
HTML Encoding Algorithm
Where:
- input= The raw text string entered by the user
- entities= A lookup map: { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' }
- char= Each individual character from the input string as matched by the regex or iteration
- code= The decimal Unicode code point of the character, obtained via charCodeAt(0)
- output= The fully encoded string safe for insertion into HTML markup
HTML Encoding and XSS Prevention
Cross-Site Scripting (XSS) is one of the most prevalent web application vulnerabilities, consistently appearing in the OWASP Top 10. An XSS attack occurs when an attacker injects malicious scripts into web pages that are then executed in the browsers of unsuspecting users. The attack is possible whenever a web application echoes user-supplied data back to the page without proper encoding, allowing angle brackets and other special characters to form executable <script> tags or event handler attributes.
HTML encoding is the primary countermeasure for reflected XSS and stored XSS. When user input is encoded before being placed into an HTML context, the browser treats the content as text rather than markup. An input such as <script>alert('XSS')</script> becomes <script>alert('XSS')</script> after encoding, which the browser renders as harmless visible text rather than executing as JavaScript.
Different HTML contexts require different levels of encoding. Text placed directly inside an HTML element body requires at minimum that &, <, and > be encoded (Minimal mode). Text placed inside a quoted attribute value additionally requires that the quote character used as the attribute delimiter be encoded — so both " and ' must be handled (All mode). Never insert user data into unquoted HTML attributes, <script> blocks, inline event handlers, or CSS values using HTML encoding alone; those contexts require JavaScript string escaping or URL encoding in addition to HTML encoding.
Developers working in server-side languages should use their framework's built-in escaping functions rather than rolling their own — for example, htmlspecialchars() in PHP, HtmlEncoder.Default.Encode() in ASP.NET, or Encode.forHtml() in the OWASP Java Encoder library. This online HTML encoder is ideal for manual encoding tasks, content preparation, template authoring, and learning what encoded output looks like before you integrate it into an automated pipeline.
HTML Entity Reference and Common Characters
Beyond the five core reserved characters, HTML defines hundreds of named entities for typographic symbols, mathematical operators, accented letters, currency signs, arrows, and other special characters. Using the correct entity ensures that characters display consistently across browsers and operating systems regardless of the page's declared character encoding.
Numeric entities are universally supported because they reference a character's absolute Unicode code point, making them independent of any named-entity vocabulary. Named entities, on the other hand, are more readable in source code and well-suited for common characters that authors type repeatedly.
| Character | Named Entity | Numeric Entity | Description |
|---|---|---|---|
| & | & |
& |
Ampersand |
| < | < |
< |
Less-than / open tag |
| > | > |
> |
Greater-than / close tag |
| " | " |
" |
Double quotation mark |
| ' | ' |
' |
Apostrophe / single quote |
|
  |
Non-breaking space | |
| © | © |
© |
Copyright symbol |
| € | € |
€ |
Euro sign |
| — | — |
— |
Em dash |
When you are unsure which entity form to use, prefer named entities for the five reserved characters (they are the most widely recognised in code reviews) and numeric entities for any character outside the standard ASCII range. Both forms produce identical visual output in the browser.
When and Where to Apply HTML Encoding
HTML encoding is not a one-size-fits-all operation. The correct output encoding depends entirely on the context where the data will be inserted in the final HTML document. Applying the wrong type of encoding — or applying it in the wrong place — either fails to prevent the attack or corrupts the data.
- HTML body content: Text inserted between opening and closing HTML tags must have
&,<, and>encoded at minimum. Use Minimal or All mode from this tool. - HTML attribute values (quoted): In addition to the three characters above, the quote character that wraps the attribute value must also be encoded. Use All mode to cover both double quotes and apostrophes.
- Code and pre-formatted blocks: Source code displayed inside
<pre><code>blocks almost always contains angle brackets and ampersands. Always encode the full character set before inserting code samples into HTML to prevent the browser from interpreting the code as markup. - User-generated content (CMS, forums, comments): Any content typed or pasted by a user must be encoded before storage in a database and again before rendering on the page. Encoding at render time (output encoding) is generally the more robust approach since it prevents stored XSS even if the database contains malicious content inserted through other channels.
- Template engines and server-rendered HTML: Most modern template engines such as Jinja2, Blade, Handlebars, and ERB apply HTML encoding by default to all interpolated variables. Be cautious about triple-brace or
rawhelpers that bypass auto-escaping — use them only when you have verified the data is safe. - JSON data embedded in HTML: If a JSON object is written directly into a
<script>tag using server-side rendering, HTML encoding is insufficient; you must also escape the JSON forward slashes and Unicode line-separator characters to prevent injection via unexpected script termination.
This HTML encoder tool is especially useful for content authors and developers who need to prepare code samples, user-supplied strings, or special-character text for safe display on web pages. Paste your raw text, choose the appropriate encoding mode, and copy the safe encoded output directly into your HTML template or CMS editor.
Worked Examples
Encoding a div Tag (All Mode)
Problem:
Encode the string '<div class="container">Hello & welcome!</div>' using All Special Characters mode so it displays as visible text in a browser.
Solution Steps:
- 1Input: <div class="container">Hello & welcome!</div>
- 2Regex /[&<>"']/g matches: '<' at position 0, 'd','i','v' pass through, ' ' passes, 'c','l','a','s','s' pass, '=' passes, '"' at attribute open, 'c'...'r' pass, '"' at attribute close, '>' at tag close, 'H','e','l','l','o',' ' pass, '&' in text, ' ','w','e','l','c','o','m','e','!' pass, '<' at closing tag, '/','d','i','v' pass, '>' at close.
- 3Apply entity map: '<' → '<', '"' → '"', '>' → '>', '&' → '&', '<' → '<', '>' → '>'.
- 4All non-special characters pass through unchanged.
- 5Concatenate the result to form the final encoded string.
Result:
<div class="container">Hello & welcome!</div>
Minimal Encoding (Ampersand and Angle Brackets Only)
Problem:
Encode the string 'Price: 10 > 5 & it's a deal' using Minimal mode, which targets only &, <, and >.
Solution Steps:
- 1Input: Price: 10 > 5 & it's a deal
- 2Regex /[&<>]/g is applied — it matches '>' (position 11) and '&' (position 15) only.
- 3'>' → '>' and '&' → '&'.
- 4The apostrophe in "it's" is NOT in the minimal regex pattern, so it passes through unchanged.
- 5All other characters including letters, digits, spaces, and punctuation pass through unchanged.
Result:
Price: 10 > 5 & it's a deal
Numeric Entity Encoding with Non-ASCII Character
Problem:
Encode the string 'Café & <menu>' using Numeric Entities mode to produce pure ASCII output.
Solution Steps:
- 1Input: Café & <menu> (the é character has Unicode code point 233, which is > 127).
- 2Characters C, a, f pass through (code points 67, 97, 102 — all ≤ 127 and not reserved).
- 3'é' has charCodeAt(0) = 233 > 127, so it becomes 'é'.
- 4' ' (space, code 32) passes through. '&' is a reserved character so it becomes '&'. ' ' passes. '<' becomes '<', 'm','e','n','u' pass, '>' becomes '>'.
- 5Join all parts together.
Result:
Café & <menu>
Encoding Apostrophes for HTML Attributes
Problem:
Encode the string "user's profile" for safe use inside a double-quoted HTML attribute using All mode.
Solution Steps:
- 1Input: user's profile
- 2Regex /[&<>"']/g scans the string and finds the apostrophe ' at position 4 (code point 39).
- 3The apostrophe is in the entities map with the value '''.
- 4'u','s','e','r' and ' profile' all pass through unchanged since they contain no reserved characters.
- 5Result has apostrophe replaced; safe for use inside either double-quoted or single-quoted HTML attributes.
Result:
user's profile
Tips & Best Practices
- ✓Always use All mode when encoding content destined for HTML attribute values — apostrophes and quotation marks can break attributes if left unencoded.
- ✓Use Minimal mode only for HTML body text where you are certain the output context does not include unquoted attributes or script blocks.
- ✓Numeric Entities mode is your safest bet for internationalised content that contains accented letters, currency symbols, or non-Latin scripts, as it converts every non-ASCII character to a portable decimal entity.
- ✓Encode at output time, not storage time — store raw text in your database and apply HTML encoding when rendering to the page to avoid double-encoding issues.
- ✓HTML encoding alone is not enough for content inside script tags or inline event handlers (onclick, onmouseover) — those contexts additionally require JavaScript string escaping.
- ✓When pasting encoded HTML into a code editor or CMS, verify the result looks correct by previewing the page — some editors may auto-decode entities, which can re-introduce the raw characters.
- ✓The five characters that must always be encoded in HTML are &, <, >, ", and ' — memorise this set as the foundation of safe HTML output.
- ✓For URL query parameters that contain HTML entities, apply URL encoding on top of the HTML encoding — the correct order is HTML-encode first, then URL-encode the attribute value as a whole.
Frequently Asked Questions
Sources & References
Last updated: 2026-06-05
Help us improve!
How would you rate the HTML Encoder?
Editorial Note
MyCalcBuddy Editorial Team
This page is maintained as an educational calculator reference.
Formula Source: Standard Mathematical References
by Various