· By DevToolHub Team

HTML Entities: Complete Reference Table with Examples

HTML entities are special codes that represent characters in HTML documents. They exist because some characters have reserved meaning in HTML (like < and &), and others can’t be typed directly on a standard keyboard.

Why HTML Entities Exist

Three main reasons:

  1. Reserved characters. The < character starts an HTML tag. If you want to display a literal < in your page, you must use &lt; instead, or the browser will try to parse it as a tag.

  2. Security. User-generated content that isn’t entity-encoded can contain <script> tags, leading to XSS (Cross-Site Scripting) attacks. Encoding < as &lt; neutralizes this.

  3. Special symbols. Characters like ©, ™, €, →, and — aren’t on most keyboards but have named HTML entities for easy insertion.

The Five Essential Entities

These are the characters you must encode in HTML content:

CharacterNamed EntityNumericDescription
&&amp;&#38;Ampersand — starts entity sequences
<&lt;&#60;Less than — starts HTML tags
>&gt;&#62;Greater than — ends HTML tags
"&quot;&#34;Double quote — used in attributes
'&apos;&#39;Single quote / apostrophe

If you encode nothing else, always encode these five in user-generated content.

Common Symbol Entities

Typography

SymbolNamedNumericDescription
&mdash;&#8212;Em dash
&ndash;&#8211;En dash
&hellip;&#8230;Horizontal ellipsis
&lsquo;&#8216;Left single quote
&rsquo;&#8217;Right single quote
&ldquo;&#8220;Left double quote
&rdquo;&#8221;Right double quote
&nbsp;&#160;Non-breaking space

Currency

SymbolNamedNumericDescription
&euro;&#8364;Euro sign
£&pound;&#163;Pound sign
¥&yen;&#165;Yen / yuan sign
¢&cent;&#162;Cent sign
SymbolNamedNumericDescription
©&copy;&#169;Copyright
®&reg;&#174;Registered trademark
&trade;&#8482;Trademark
×&times;&#215;Multiplication sign
÷&divide;&#247;Division sign
±&plusmn;&#177;Plus-minus
&ne;&#8800;Not equal
&le;&#8804;Less than or equal
&ge;&#8805;Greater than or equal

Arrows

SymbolNamedNumericDescription
&larr;&#8592;Left arrow
&rarr;&#8594;Right arrow
&uarr;&#8593;Up arrow
&darr;&#8595;Down arrow

Three Entity Formats

Named entities — human-readable: &amp;, &lt;, &euro;

Decimal numeric — Unicode code point in decimal: &#38;, &#60;, &#8364;

Hexadecimal numeric — Unicode code point in hex: &#x26;, &#x3C;, &#x20AC;

All three produce the same result. Named entities are easier to read in source code, but not every character has a named entity. Numeric entities work for any Unicode character.

When to Encode

Always encode in these contexts:

<!-- In text content: encode < > & -->
<p>Use &lt;div&gt; for containers</p>

<!-- In attribute values: encode " (if using double quotes) -->
<input value="She said &quot;hello&quot;">

<!-- In user-generated content: encode ALL five essential characters -->
<div class="comment">{encodedUserContent}</div>

You don’t need entities for:

<!-- Modern UTF-8 documents handle these directly -->
<p>Café, naïve, résumé</p>

<!-- Emoji work directly in UTF-8 -->
<p>Hello 👋</p>

With UTF-8 encoding (which you should always use: <meta charset="utf-8">), you only need HTML entities for the five reserved characters and for characters you can’t easily type.

Security: HTML Entities and XSS Attacks

The most important practical use of HTML entities is preventing Cross-Site Scripting (XSS) — one of the most common web security vulnerabilities. XSS happens when an attacker injects malicious scripts into a web page viewed by other users.

How XSS Works

Without encoding, user input is interpreted as HTML:

<!-- DANGEROUS: If userName = "<script>alert('hacked')</script>" -->
<p>Welcome, {userName}</p>
<!-- Browser executes the script! -->

With proper encoding, the input is rendered as harmless text:

<!-- SAFE: The script tag is rendered as text, not executed -->
<p>Welcome, &lt;script&gt;alert(&#39;hacked&#39;)&lt;/script&gt;</p>

Types of XSS and How Encoding Helps

Stored XSS — malicious input is saved to the database (e.g., a comment, a profile name) and served to every user who views that page. Entity-encoding all output prevents the stored script from executing.

Reflected XSS — malicious input comes from the URL or form submission and is reflected back in the response. Encoding URL parameters before rendering them in HTML neutralizes the attack.

DOM-based XSS — malicious input manipulates the DOM directly via JavaScript. Entity encoding alone doesn’t prevent this — you also need to avoid injecting untrusted data into innerHTML, document.write(), or eval().

Framework Auto-Encoding

Modern frameworks encode by default, but each has an escape hatch:

FrameworkAuto-encodesBypass (dangerous)
ReactJSX expressions {value}dangerouslySetInnerHTML
VueTemplate expressions {{ "{{" }} value }}v-html directive
AngularTemplate interpolation {{ "{{" }} value }}[innerHTML] binding
Svelte{value}{@html value}
Django{{ "{{" }} value }} in templates{{ "{{" }} value|safe }} or mark_safe()

If you must render raw HTML, always sanitize it first with a library like DOMPurify.

Defense in Depth

Entity encoding is the first line of defense, but a robust strategy combines multiple layers:

  1. Encode all output — entity-encode user data when rendering in HTML
  2. Content Security Policy — add a CSP header to restrict which scripts can execute
  3. Input validation — reject obviously malicious input at the boundary
  4. HttpOnly cookies — prevent scripts from accessing session tokens

Try It Yourself

Use our HTML Entity Encoder and HTML Entity Decoder to encode special characters or decode entity-encoded text — right in your browser.

HTML entities and URL percent-encoding are complementary — entities handle characters inside HTML documents, while percent-encoding handles characters inside URLs. For a quick comparison, the URL Encoding Cheat Sheet covers the percent-encoding side. If you’re working with APIs that return encoded data, you might also need Base64 decoding.

Further Reading

FAQ

What is the difference between named and numeric HTML entities?
Named entities use human-readable names like &amp; for & and &euro; for €. Numeric entities use the Unicode code point in decimal (&#38;) or hexadecimal (&#x26;) format. Both produce the same result, but not every character has a named entity — numeric entities work for all 149,000+ Unicode characters.
Do I need HTML entities if my page uses UTF-8 encoding?
You still need to encode the five reserved characters (<, >, &, double quote, single quote) in HTML content and attributes to prevent parsing errors and XSS attacks. But with UTF-8 (specified via <meta charset="utf-8">), you don't need entities for accented letters, symbols, or emoji — they can appear directly in the source.
Why does &amp;nbsp; behave differently from a regular space?
&amp;nbsp; (non-breaking space) prevents the browser from breaking a line at that position and prevents collapsing of multiple consecutive spaces. In HTML, multiple regular spaces are collapsed into one, but multiple &amp;nbsp; preserve the spacing. Use it between words that should stay on the same line, like "100 km" or "Dr. Smith".
Are HTML entities case-sensitive?
Named entities are case-sensitive in HTML5 — &amp;amp; works but &amp;AMP; is not standard. In XHTML, all entities are strictly case-sensitive. Numeric entities (&#38;, &#x26;) are case-insensitive for the hex digits. Always use lowercase named entities for maximum compatibility.
How do modern frameworks handle HTML entity encoding?
React, Vue, Angular, and Svelte all auto-encode text content by default — when you render a variable in JSX or a template, special characters are automatically escaped. You only bypass this protection when using dangerouslySetInnerHTML (React), v-html (Vue), or [innerHTML] (Angular). Server-side frameworks like Django and Jinja2 also auto-escape by default.
html entities web reference xss

Related Tools

Related Articles