HTML Entities: Complete Reference Table with Examples
HTML entities are special codes that represent characters in HTML documents. They exist because some characters have reserved meaning in HTML (like < and &), and others can’t be typed directly on a standard keyboard.
Why HTML Entities Exist
Three main reasons:
-
Reserved characters. The
<character starts an HTML tag. If you want to display a literal<in your page, you must use<instead, or the browser will try to parse it as a tag. -
Security. User-generated content that isn’t entity-encoded can contain
<script>tags, leading to XSS (Cross-Site Scripting) attacks. Encoding<as<neutralizes this. -
Special symbols. Characters like ©, ™, €, →, and — aren’t on most keyboards but have named HTML entities for easy insertion.
The Five Essential Entities
These are the characters you must encode in HTML content:
| Character | Named Entity | Numeric | Description |
|---|---|---|---|
& | & | & | Ampersand — starts entity sequences |
< | < | < | Less than — starts HTML tags |
> | > | > | Greater than — ends HTML tags |
" | " | " | Double quote — used in attributes |
' | ' | ' | Single quote / apostrophe |
If you encode nothing else, always encode these five in user-generated content.
Common Symbol Entities
Typography
| Symbol | Named | Numeric | Description |
|---|---|---|---|
| — | — | — | Em dash |
| – | – | – | En dash |
| … | … | … | Horizontal ellipsis |
| ’ | ‘ | ‘ | Left single quote |
| ’ | ’ | ’ | Right single quote |
| ” | “ | “ | Left double quote |
| ” | ” | ” | Right double quote |
|   | Non-breaking space |
Currency
| Symbol | Named | Numeric | Description |
|---|---|---|---|
| € | € | € | Euro sign |
| £ | £ | £ | Pound sign |
| ¥ | ¥ | ¥ | Yen / yuan sign |
| ¢ | ¢ | ¢ | Cent sign |
Legal and Math
| Symbol | Named | Numeric | Description |
|---|---|---|---|
| © | © | © | Copyright |
| ® | ® | ® | Registered trademark |
| ™ | ™ | ™ | Trademark |
| × | × | × | Multiplication sign |
| ÷ | ÷ | ÷ | Division sign |
| ± | ± | ± | Plus-minus |
| ≠ | ≠ | ≠ | Not equal |
| ≤ | ≤ | ≤ | Less than or equal |
| ≥ | ≥ | ≥ | Greater than or equal |
Arrows
| Symbol | Named | Numeric | Description |
|---|---|---|---|
| ← | ← | ← | Left arrow |
| → | → | → | Right arrow |
| ↑ | ↑ | ↑ | Up arrow |
| ↓ | ↓ | ↓ | Down arrow |
Three Entity Formats
Named entities — human-readable: &, <, €
Decimal numeric — Unicode code point in decimal: &, <, €
Hexadecimal numeric — Unicode code point in hex: &, <, €
All three produce the same result. Named entities are easier to read in source code, but not every character has a named entity. Numeric entities work for any Unicode character.
When to Encode
Always encode in these contexts:
<!-- In text content: encode < > & -->
<p>Use <div> for containers</p>
<!-- In attribute values: encode " (if using double quotes) -->
<input value="She said "hello"">
<!-- In user-generated content: encode ALL five essential characters -->
<div class="comment">{encodedUserContent}</div>
You don’t need entities for:
<!-- Modern UTF-8 documents handle these directly -->
<p>Café, naïve, résumé</p>
<!-- Emoji work directly in UTF-8 -->
<p>Hello 👋</p>
With UTF-8 encoding (which you should always use: <meta charset="utf-8">), you only need HTML entities for the five reserved characters and for characters you can’t easily type.
Security: HTML Entities and XSS Attacks
The most important practical use of HTML entities is preventing Cross-Site Scripting (XSS) — one of the most common web security vulnerabilities. XSS happens when an attacker injects malicious scripts into a web page viewed by other users.
How XSS Works
Without encoding, user input is interpreted as HTML:
<!-- DANGEROUS: If userName = "<script>alert('hacked')</script>" -->
<p>Welcome, {userName}</p>
<!-- Browser executes the script! -->
With proper encoding, the input is rendered as harmless text:
<!-- SAFE: The script tag is rendered as text, not executed -->
<p>Welcome, <script>alert('hacked')</script></p>
Types of XSS and How Encoding Helps
Stored XSS — malicious input is saved to the database (e.g., a comment, a profile name) and served to every user who views that page. Entity-encoding all output prevents the stored script from executing.
Reflected XSS — malicious input comes from the URL or form submission and is reflected back in the response. Encoding URL parameters before rendering them in HTML neutralizes the attack.
DOM-based XSS — malicious input manipulates the DOM directly via JavaScript. Entity encoding alone doesn’t prevent this — you also need to avoid injecting untrusted data into innerHTML, document.write(), or eval().
Framework Auto-Encoding
Modern frameworks encode by default, but each has an escape hatch:
| Framework | Auto-encodes | Bypass (dangerous) |
|---|---|---|
| React | JSX expressions {value} | dangerouslySetInnerHTML |
| Vue | Template expressions {{ "{{" }} value }} | v-html directive |
| Angular | Template interpolation {{ "{{" }} value }} | [innerHTML] binding |
| Svelte | {value} | {@html value} |
| Django | {{ "{{" }} value }} in templates | {{ "{{" }} value|safe }} or mark_safe() |
If you must render raw HTML, always sanitize it first with a library like DOMPurify.
Defense in Depth
Entity encoding is the first line of defense, but a robust strategy combines multiple layers:
- Encode all output — entity-encode user data when rendering in HTML
- Content Security Policy — add a CSP header to restrict which scripts can execute
- Input validation — reject obviously malicious input at the boundary
- HttpOnly cookies — prevent scripts from accessing session tokens
Try It Yourself
Use our HTML Entity Encoder and HTML Entity Decoder to encode special characters or decode entity-encoded text — right in your browser.
HTML entities and URL percent-encoding are complementary — entities handle characters inside HTML documents, while percent-encoding handles characters inside URLs. For a quick comparison, the URL Encoding Cheat Sheet covers the percent-encoding side. If you’re working with APIs that return encoded data, you might also need Base64 decoding.
Further Reading
- MDN: HTML character references — Browser-supported entity reference
- W3C HTML5: Named character references — Complete list of 2,231 named entities
- OWASP XSS Prevention Cheat Sheet — Security best practices for output encoding
- MDN: Content Security Policy — Additional layer of XSS protection