Question 1

When do I need to encode HTML entities?

Accepted Answer

Whenever user-supplied or external text gets rendered as HTML. The five characters that absolutely must be escaped in HTML text content are &, <, >, " and ' — skipping any of them in a context where they're reserved is how you get broken markup or XSS vulnerabilities.

Question 2

Why are there both named entities (&) and numeric entities (&#38;)?

Accepted Answer

Named entities are easier to read; numeric (decimal or hex) entities work for any Unicode character. Modern HTML5 has named entities for over 2000 characters, but numeric is universally portable — useful when the recipient parser may be old.

Question 3

Will this break my emojis or non-Latin characters?

Accepted Answer

No — only HTML-reserved characters are encoded. Emojis, CJK text, and accented Latin characters pass through unchanged unless you opt into encoding all non-ASCII.

Question 4

Can this prevent XSS attacks?

Accepted Answer

Encoding is necessary but not sufficient. You still need to use context-appropriate escaping: HTML body, HTML attribute, JS string, and URL contexts each have different escaping rules. For user input rendered to HTML, prefer a templating engine that escapes by default plus a sanitizer like DOMPurify for HTML that must contain markup.

HTML Entities Encoder/Decoder

Decode

Encode

Frequently asked questions

Other Encoders

Base64 Encoder/Decoder

URL Encoder/Decoder

Text to Binary

Text to Unicode

Text to NATO Alphabet