HTML Escape Reference

Reference table for HTML and XML escape characters: named entities and numeric codes.

Back to all tools on ToolForge

More in Developer Tools

Common HTML/XML Entities

CharNamed EntityDecimalHexDescription

About HTML Escape Reference

This reference lists HTML and XML escape characters including named entities (&, <) and numeric codes (&, &). Use these to safely display special characters in HTML content.

It is useful when escaping user input for HTML, building XML documents, displaying code examples, creating documentation, and debugging character display issues in web pages.

Essential Escape Characters

CharacterEntityDecimalWhen to Escape
&&&Always - starts entity references
<&lt;<Always - starts HTML tags
>&gt;>Always - ends HTML tags
"&quot;"In double-quoted attributes
'&apos;'In single-quoted attributes

Common Named Entities

Currency:
  &cent;    ¢  ¢  Cent sign
  &pound;   £  £  Pound sign
  &euro;    € €  Euro sign
  &yen;     ¥  ¥  Yen sign

Mathematical:
  &plusmn;  ±  ±  Plus-minus
  &times;   ×  ×  Multiplication
  &divide;  ÷  ÷  Division
  &lt;      <   <  Less than
  &gt;      >   >  Greater than
  &plusmn;  ±  ±  Plus or minus

Punctuation:
  &ndash;   – –  En dash
  &mdash;   — —  Em dash
  &hellip;  … …  Ellipsis
  &laquo;   «  «  Left guillemet
  &raquo;   »  »  Right guillemet

Symbols:
  &copy;    ©  ©  Copyright
  &reg;     ®  ®  Registered trademark
  &trade;   ™ ™  Trademark
  &deg;     °  °  Degree
  &micro;   µ  µ  Micro sign

How to Escape HTML in Different Languages

JavaScript (browser):
  function escapeHtml(text) {
    const div = document.createElement('div');
    div.textContent = text;
    return div.innerHTML;
  }
  // Or manual replacement:
  text.replace(/&/g, '&')
      .replace(//g, '>')
      .replace(/"/g, '"')
      .replace(/'/g, ''');

Node.js:
  const { escape } = require('html-escaper');
  const escaped = escape('');

Python:
  import html
  escaped = html.escape('')
  # Output: <script>alert(1)</script>

PHP:
  $escaped = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');

Java:
  String escaped = StringEscapeUtils.escapeHtml4(input);

C#:
  string escaped = System.Web.HttpUtility.HtmlEncode(input);

HTML Entity Format

Three formats for the same character:

1. Named entity (most readable):
   &copy; → ©

2. Decimal numeric (Unicode code point):
   &#169; → ©

3. Hexadecimal numeric (Unicode code point):
   &#x00A9; → ©

All three render identically in browsers.
Named entities are easier to read in source code.
Numeric entities work for all Unicode characters.

Entity format:
  & + name + ;     (named)
  & + # + digits + ;     (decimal)
  & + # + x + hex + ;    (hex)

XSS Prevention

Always escape user input before displaying in HTML:

DANGEROUS - XSS vulnerability:
  document.getElementById('output').innerHTML = userInput;

SAFE - Content is escaped:
  document.getElementById('output').textContent = userInput;

DANGEROUS in server-side rendering:
  return `
${userInput}
`;

SAFE with escaping:
  return `
${escapeHtml(userInput)}
`;

Common XSS vectors to prevent:
  
  
  Click

Frequently Asked Questions

Why do we need to escape HTML characters?
HTML escaping prevents browsers from interpreting special characters as markup. Without escaping, < and > could be read as HTML tags, breaking content or enabling XSS attacks. Escaping converts < to <, > to >, etc., ensuring text displays correctly and securely.
What characters must be escaped in HTML?
Five characters must be escaped: < (less than) → <, > (greater than) → >, & (ampersand) → &, " (double quote) → ", ' (apostrophe) → '. The ampersand and angle brackets are critical; quotes are needed inside attribute values.
What is the difference between named and numeric entities?
Named entities use descriptive names (&, <, ©). Numeric entities use decimal (&) or hexadecimal (&) Unicode code points. Named entities are more readable; numeric entities work for all characters. Both render identically in browsers.
How do I escape HTML in JavaScript?
Create a temporary element and use textContent: function escapeHtml(text) { const div = document.createElement('div'); div.textContent = text; return div.innerHTML; }. Or use regex replacement: text.replace(/&/g,'&').replace(//g,'>').
What is   and when should I use it?
  (non-breaking space,  ) prevents line breaks at its position. Use it to keep words together (e.g., "Mr. Smith"), prevent collapsing multiple spaces, or add precise spacing. Don't use for indentation (use CSS margin/padding).
How do I display ampersand in HTML?
Use & to display an ampersand character. Writing & directly starts an entity reference and may cause validation errors. In URLs within HTML, escape & as &: href="page.php?a=1&b=2". In JavaScript strings, use & directly.