HTML entities and escaping: &, <, and when you need them
Some characters mean something special to the HTML parser. To show them literally — or to safely display user input — you replace them with entities. Skip this and you get broken pages or, worse, an XSS hole.
What an entity is
An HTML entity is a placeholder that renders as a character the parser would otherwise misread. < displays a literal < instead of starting a tag. Entities start with & and end with ;. Encode or decode text in the HTML Encoder.
The characters you must escape
&→&(escape this first, or you double-encode the others)<→<>→>"→"(inside double-quoted attributes)'→'(inside single-quoted attributes)
Named vs numeric references
You can reference a character by name (©) or by code point in decimal (©) or hex (©) — all render ©. Named entities are readable; numeric ones work for any character, even without a defined name.
Escaping and XSS
The real reason escaping matters: if you insert user input into a page without escaping < and &, an attacker can inject <script> and run code in your users’ browsers — cross-site scripting (XSS).
Frequently asked questions
- Which characters must I escape in HTML?
- At minimum &, <, and >. Inside attribute values also escape the surrounding quote character (" or '). Escape & first so you do not double-encode the others.
- What is the difference between named and numeric entities?
- Named entities like © are human-readable; numeric ones like © or © reference the character by code point and work even for characters without a named entity.
- How does escaping prevent XSS?
- Escaping turns < and & into entities so user input is displayed as text instead of being parsed as tags or scripts, blocking injected <script> from executing.
- Is HTML escaping the same as URL encoding?
- No. HTML escaping protects markup (< for <), while URL encoding protects URLs (%20 for space). They apply in different contexts — see the URL encoding guide.
Try it yourself
Put this guide into practice — these tools run free in your browser.