HTML Entities Explained: The Only 5 You Must Know
HTML entities are short codes β like < for < and & for & β that tell a browser to display a character instead of interpreting it as markup. They exist because a handful of characters have jobs in HTML syntax, and the moment your content contains one of them, the browser can't tell your text from your tags.
Here's a confession from the first code-snippet page we ever shipped: the tutorial rendered beautifully right up to the first <div> in the example code, at which point the browser did exactly what it was told β it treated the example as a real tag and swallowed half the article. No error, no warning. Just a page that quietly ended mid-sentence. One pass through an HTML encoder fixed it, and the lesson stuck: entities aren't trivia, they're the difference between showing code and running it.
By the end of this guide you'll know the five entities worth memorizing, how to write any character numerically when there's no name for it, how to diagnose the classic double-encoding bug, and where entities fit in your security story.
What is an HTML entity?
An entity has three parts: an ampersand, a name or number, and a semicolon. < is the named entity for < β lt for "less than." When the parser meets it, it renders the character and moves on, never mistaking it for the start of a tag.
The HTML spec defines over two thousand named entities, from © (Β©) to genuinely obscure mathematical symbols. That number scares people into thinking there's a lot to learn. There isn't β because modern pages are UTF-8, you can type Β©, Γ©, or δΈ directly into your HTML and it just works. Entities are only required for the characters that collide with HTML syntax itself.
The only five entities you must know
| Character | Entity | Why it needs escaping |
|---|---|---|
< |
< |
Starts a tag |
> |
> |
Ends a tag |
& |
& |
Starts an entity |
" |
" |
Ends a double-quoted attribute |
' |
' |
Ends a single-quoted attribute |
That's the whole required reading. Notice the apostrophe uses a numeric code rather than the name ' β that name is valid in HTML5, but it wasn't in HTML4, and some older tooling still chokes on it. ' works everywhere, so it's the safer habit. (You were going to ask about β the non-breaking space. It's the most common entity in the wild, but it's a layout tool, not an escaping requirement.)
Named, decimal, hex: three spellings of one character
Every character can be written by its Unicode code point, no name required. The copyright sign is code point 169, so all three of these render Β©:
© <!-- named -->
© <!-- decimal -->
© <!-- hexadecimal -->
This is why you never need to memorize the long tail of named entities: if a character has no name, or you can't remember it, the numeric form always works. The hex variant is handy when you're already looking at a character's code point in a Unicode table β and if hex itself is unfamiliar, our hexadecimal guide covers it in ten minutes.
The double-encoding bug (you'll meet it eventually)
Sooner or later a page will show your users literal text like & or Tom &amp; Jerry. That's double encoding: content that was already encoded got encoded again, so the & in & became &amp;. It usually happens when two layers of a system β say, a CMS and a template engine β each helpfully encode the same string.
Diagnosing it is quick. Paste the broken text into an HTML decoder and decode once. If it comes out right, you had exactly one extra layer; find the code path that encodes already-encoded data and make encoding happen exactly once, at output time. The rule that prevents the whole class of bug: store raw text, encode at the moment you render it β never before.
Entities are a security control, not just a display fix
Everything above treats entities as cosmetic. They're also load-bearing: encoding untrusted input before rendering it is one of the primary defenses against cross-site scripting. If a user submits <script> and you encode it to <script>, the browser displays the text instead of executing it. That single transformation is the difference between showing a comment and running an attacker's code in every visitor's session.
One honest caveat: entity encoding protects HTML element content. Attributes, URLs, and inline JavaScript each have their own escaping rules, and using the wrong one for the context is how encoded-but-still-vulnerable pages happen. Your framework's templating engine almost certainly does context-aware escaping for you β the entities knowledge is for the moments you step outside it.
Encode and decode without thinking
These run entirely in your browser, nothing uploaded:
- HTML Encoder β turn
<,>,&, and quotes into safe entities for code samples and dynamic content. - HTML Decoder β reverse it, including one-layer-at-a-time decoding for double-encoding forensics.
- HTML Viewer β preview markup safely to confirm what actually renders.
- URL Encoder β the sibling escaping scheme for URLs; different characters, same idea.
Conclusion
HTML entities boil down to one rule and five codes: encode text at render time, and know <, >, &, ", and ' on sight. Numeric forms cover every other character, double-encoding means one layer too many, and the same mechanism that fixes your broken code samples is quietly protecting your users from injected scripts. Not bad for a handful of ampersands and semicolons.
Try the tools
Frequently Asked Questions
What is an HTML entity?
An HTML entity is a short code, starting with & and ending with ;, that tells the browser to display a character instead of interpreting it as markup. < displays a < sign, which would otherwise start a tag.
Which HTML entities do I actually need?
Five cover practically every real situation: < for <, > for >, & for &, " for double quotes, and ' for apostrophes. Everything else can be typed as a literal character in UTF-8 pages.
What is the difference between named and numeric entities?
Named entities use a memorable word (©), while numeric entities use the character's code point in decimal (©) or hexadecimal (©). All three render identically; numeric forms work for every character, named forms only for the ones the HTML spec defines.
Why does my page show & instead of &?
The text was encoded twice. The & of an existing entity was itself encoded to &, turning & into &amp;. Decode one layer with an HTML decoder and fix the code path that encodes already-encoded content.
Does HTML encoding prevent XSS?
It is a core part of the defense. Encoding untrusted text before inserting it into HTML stops injected markup like <script> from being parsed as code. The full defense is context-aware: element content, attributes, URLs, and JavaScript each need the right encoding for that context.
CodeUtilityKit Team builds free, privacy-first developer tools that run entirely in your browser. Every guide is written and reviewed by developers who use these tools daily.