Toolmingo
Guides6 min read

HTML Character Entities: A Complete Guide

Learn what HTML character entities are, when to use named vs numeric entities, and how to encode special characters in HTML. Includes a quick-reference table and code examples in JavaScript, Python, Go, and PHP.

HTML Character Entities: A Complete Guide

Some characters have special meaning in HTML — <, >, &, and " are used by the parser itself. If you drop them raw into your markup, the browser misreads your content or breaks the page. HTML character entities are the safe way to represent those characters (and many others) in HTML.


What Is an HTML Character Entity?

An HTML character entity is a short code that tells the browser to render a specific character. Every entity starts with & and ends with ;.

There are two flavours:

Flavour Format Example Renders as
Named &name; &amp; &
Numeric (decimal) &#number; &#38; &
Numeric (hex) &#xhex; &#x26; &

All three encode the same character. Named entities are easier to read; numeric entities work for any Unicode character, even ones without a name.


Why You Need Entities

HTML uses <, >, &, and " as syntax. If your content contains any of them unescaped, you'll get:

  • <script> in a headline → the browser tries to run JavaScript
  • AT&T in body text → the parser chokes on the bare &
  • "quote" inside an attribute → the attribute closes prematurely

The fix: replace every unsafe character with its entity before inserting it into HTML.


The Most Important Entities

The "Big Five" (always escape these in HTML)

Character Named entity Numeric Notes
& &amp; &#38; Must escape in all contexts
< &lt; &#60; Opens a tag
> &gt; &#62; Closes a tag
" &quot; &#34; Inside double-quoted attributes
' &apos; &#39; Inside single-quoted attributes (HTML5)

Typography

Character Entity Numeric Meaning
(non-breaking space) &nbsp; &#160; Space that won't wrap
&mdash; &#8212; Em dash
&ndash; &#8211; En dash
&hellip; &#8230; Ellipsis
" &ldquo; &#8220; Left double quotation mark
" &rdquo; &#8221; Right double quotation mark
' &lsquo; &#8216; Left single quotation mark
' &rsquo; &#8217; Right single quotation mark (also apostrophe)
© &copy; &#169; Copyright
® &reg; &#174; Registered trademark
&trade; &#8482; Trademark
&euro; &#8364; Euro sign
£ &pound; &#163; Pound sterling
¥ &yen; &#165; Yen / Yuan

Math & Symbols

Character Entity Meaning
× &times; Multiplication sign
÷ &divide; Division sign
± &plusmn; Plus-or-minus
&le; Less than or equal
&ge; Greater than or equal
&ne; Not equal
&infin; Infinity
&radic; Square root
° &deg; Degree
½ &frac12; One half
¼ &frac14; One quarter

Named vs Numeric: Which to Use?

Use named entities for the characters you type most often — &amp;, &lt;, &gt;, &nbsp;, &copy;. They're self-documenting.

Use numeric (hex) entities when:

  • The character has no named entity (e.g. emoji, obscure Unicode)
  • You're generating entities programmatically and need one code path for everything
  • You want to obfuscate content from naive scrapers

How to Escape HTML in Code

JavaScript

function escapeHtml(str) {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}

// Usage
escapeHtml('<script>alert("XSS")</script>');
// → &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;

In DOM-based code, prefer textContent over innerHTML — the browser escapes automatically:

const el = document.createElement('p');
el.textContent = userInput; // safe, no entity encoding needed
document.body.appendChild(el);

Python

import html

html.escape('<b>AT&T</b>', quote=True)
# → '&lt;b&gt;AT&amp;T&lt;/b&gt;'

# Decode entities back to text
html.unescape('&lt;b&gt;AT&amp;T&lt;/b&gt;')
# → '<b>AT&T</b>'

The quote=True flag (the default) also escapes " and '.

Go

import "html"

escaped := html.EscapeString(`<script>alert("XSS")</script>`)
// → &lt;script&gt;alert(&#34;XSS&#34;)&lt;/script&gt;

unescaped := html.UnescapeString("&lt;b&gt;AT&amp;T&lt;/b&gt;")
// → <b>AT&T</b>

PHP

// Escape for HTML output (the correct way)
echo htmlspecialchars($userInput, ENT_QUOTES | ENT_HTML5, 'UTF-8');

// Escape ALL HTML entities (including accented letters)
echo htmlentities($userInput, ENT_QUOTES | ENT_HTML5, 'UTF-8');

// Decode entities back to characters
echo html_entity_decode('&lt;b&gt;AT&amp;T&lt;/b&gt;', ENT_QUOTES, 'UTF-8');
// → <b>AT&T</b>

htmlspecialchars handles the Big Five; htmlentities converts every character with a named entity. In practice, htmlspecialchars is sufficient for UTF-8 pages.


Encoding vs Decoding

Operation What it does When to use
Encode (escape) <&lt; Before inserting user content into HTML
Decode (unescape) &lt;< After reading HTML to get plain text

Always encode on output, not on input. Store raw text in your database; encode it at the point where it enters HTML.


Common Mistakes

Mistake 1 — Double-encoding
Encoding text that's already encoded turns &amp; into &amp;amp;. Encode exactly once per output.

Mistake 2 — Encoding inside <script> tags
JavaScript string context has different escaping rules. Don't insert &lt; inside a script block; use JSON encoding (JSON.stringify) instead.

Mistake 3 — Forgetting attributes
<img alt="3 < 5"> breaks the parser. Always escape inside attribute values too.

Mistake 4 — Trusting &nbsp; for layout
Non-breaking spaces are for preventing line breaks between words, not for indentation. Use CSS margins and padding for spacing.


Quick-Reference: 10 Most Used Entities

Type Character Entity
Ampersand & &amp;
Less-than < &lt;
Greater-than > &gt;
Double quote " &quot;
Non-breaking space &nbsp;
Copyright © &copy;
Em dash &mdash;
Ellipsis &hellip;
Euro &euro;
Registered ® &reg;

FAQ

Do I need entities in XHTML?
XHTML is strict XML, so the Big Five (&amp;, &lt;, &gt;, &quot;, &apos;) are mandatory. Named entities like &nbsp; still work, but you must declare the XHTML DTD to support them.

Does UTF-8 encoding eliminate the need for entities?
Mostly yes — UTF-8 can represent every Unicode character, so you don't need numeric entities like &#169; for © any more. You still must escape the Big Five (& < > " ') because they're HTML syntax, not character encoding issues.

Are HTML entities case-sensitive?
Named entities are case-sensitive: &amp; works, &AMP; doesn't. Numeric entities are not case-sensitive: &#x26; and &#X26; are both valid.

Can I use entities inside CSS?
No. CSS has its own escape syntax using a backslash: \0026 for &. HTML entities only work inside HTML markup.

What's the difference between &nbsp; and a regular space?
A regular space allows the browser to break the line there. &nbsp; prevents line-breaking between two words and also prevents the browser from collapsing multiple spaces into one.

How do I find the entity for any Unicode character?
Use the HTML Encoder tool — paste any text and it converts special characters to their correct entities instantly.

Related tools

Keep reading

All Toolmingotools are free & run in your browser

No sign-up, no upload, no watermark. Your files never leave your device.

Browse all tools