Which characters get encoded?

Encoding always escapes the markup-critical characters ampersand, less-than, greater-than, double quote, and single quote. A wider table of named entities such as copyright, non-breaking space, and accented letters is also applied so the output is display-safe.

Why must the ampersand be encoded first?

Because every entity begins with an ampersand, it must be replaced before any other character. If it were not, encoding the less-than sign would produce text starting with an ampersand that a later pass would wrongly re-escape, corrupting the output.

Does decoding handle entities not in the table?

This tool decodes the named entities it knows plus numeric entities in decimal and hexadecimal form. Unknown named entities are left untouched so no data is silently lost; use the numeric tool if you need every reference decoded.

What is the difference between ' and '?

Both represent a single quote. The named form ' is valid in HTML5 and XML but not in older HTML4, where ' is the safe choice. Encoding here uses the numeric ' for the apostrophe for maximum compatibility.

Is named encoding enough to prevent XSS?

Escaping the five markup characters stops most injection in HTML text contexts, but attribute and script contexts need extra care. Treat this as a display helper, not a substitute for a context-aware templating engine on the server.

HTML Named Entity Encoder/Decoder

Q: What is the difference between &apos; and &#39;?

Both represent a single quote. The named form &apos; is valid in HTML5 and XML but not in older HTML4, where &#39; is the safe choice. Encoding here uses the numeric &#39; for the apostrophe for maximum compatibility.

HTML named entities let you show characters that would otherwise be interpreted as markup. This tool escapes the critical characters and a useful table of common symbols into their &name; form, and decodes them back to plain text.

How it works

Encoding replaces the ampersand first, then the remaining special characters, so no escape sequence is ever double-processed:

& -> &amp;
< -> &lt;
> -> &gt;
" -> &quot;
' -> &#39;
© -> &copy;     (non-breaking space) -> &nbsp;

Decoding scans for &...; references, looks each named entity up in the table, and also expands numeric references such as   and   so mixed input is handled cleanly.

Tips and notes

Always encode the ampersand before any other character — this is the single most common bug in hand-rolled escapers. When putting user text inside an HTML attribute, the double quote must be escaped ("), which this tool does. For content that will be parsed as XML rather than HTML, prefer the dedicated XML escaper, since HTML defines hundreds of named entities that XML does not.