Q: Which characters must always be encoded?

The five essential characters: & (encode first, as &), (as >), " (as " in attributes), and ' (as ' or ' in attributes). Everything else is optional to encode but can be encoded for safety.

Q: What is the difference between & < and their numeric equivalents?

Named entities (&, <) and numeric entities (&, <) produce identical results in browsers. Named entities are more readable. Numeric entities are useful in contexts where named entities might not be recognised (some older XML parsers).

Q: Is this tool safe for preventing XSS?

Encoding HTML entities is the correct technique for preventing XSS when displaying user content as text in HTML. However, it should be applied in code (your templating system or framework) at render time — not as a manual step. Always use your framework's built-in escaping (e.g. React auto-escapes JSX expressions, Django's template language auto-escapes by default).

Q: Is my data safe to encode here?

Yes. Encoding runs in your browser. Nothing is sent to a server.

Question 1

Why do I need to encode HTML entities?

Accepted Answer

Characters like < and > have special meaning in HTML — they open and close tags. If you want to display a literal < in a web page without the browser treating it as a tag, you must encode it as <. This is also critical for security: failing to encode user input before inserting it into HTML can cause XSS (cross-site scripting) attacks.

Question 2

Which characters must always be encoded?

Accepted Answer

The five essential characters: & (encode first, as &), < (as <), > (as >), " (as " in attributes), and ' (as ' or ' in attributes). Everything else is optional to encode but can be encoded for safety.

Question 3

What is the difference between & < and their numeric equivalents?

Accepted Answer

Named entities (&, <) and numeric entities (&#38;, &#60;) produce identical results in browsers. Named entities are more readable. Numeric entities are useful in contexts where named entities might not be recognised (some older XML parsers).

Question 4

Is this tool safe for preventing XSS?

Accepted Answer

Encoding HTML entities is the correct technique for preventing XSS when displaying user content as text in HTML. However, it should be applied in code (your templating system or framework) at render time — not as a manual step. Always use your framework's built-in escaping (e.g. React auto-escapes JSX expressions, Django's template language auto-escapes by default).

Question 5

Is my data safe to encode here?

Accepted Answer

Yes. Encoding runs in your browser. Nothing is sent to a server.

HTML Entity Encode

HTML entity encoding

HTML Entity Encode

Related tools

HTML entity encoding