HTML entities are codes used to represent characters that have special meaning in HTML or that cannot be typed directly in certain contexts. They appear in two forms: named entities like & and numeric entities like & (both representing the ampersand character). Knowing when and how to use HTML entities is essential for correct and secure web pages.
Why HTML Entities Exist
HTML uses certain characters as syntax: the less-than sign starts a tag, the greater-than sign ends one, the ampersand starts an entity reference. If your text content contains these characters, the browser would interpret them as syntax rather than literal content.
To display an ampersand as text, you write & instead of the literal character. To display a less-than sign, you write <. The browser renders both correctly as visible characters.
Security: Preventing XSS
One of the most important uses of HTML entities is preventing cross-site scripting (XSS). When displaying user-provided content in an HTML page, characters like less-than, greater-than, ampersand, single quotes, and double quotes must be escaped to prevent browsers from interpreting them as HTML or JavaScript.
Failing to escape user input before insertion into HTML is one of the most common and dangerous web security vulnerabilities. Every character rendering library or template engine has an auto-escape feature. Use it.
The Five Must-Escape Characters
The characters that must always be escaped in HTML content are:
Ampersand: & (prevents entity misinterpretation)
Less-than: < (prevents tag injection)
Greater-than: > (closes tags safely)
Double quote: " (required inside attribute values delimited by double quotes)
Single quote: ' or ' (required inside attribute values delimited by single quotes)
Named Entities for Common Characters
Many common characters have named entities:
Copyright symbol: ©
Registered trademark: ®
Trademark symbol: ™
Non-breaking space: (a space that does not break the line)
En dash: –
Em dash: —
Left double quotation mark: “
Right double quotation mark: ”
Degree symbol: °
Multiplication sign: ×
Division sign: ÷
Arrow right: →
Numeric Entities
Every Unicode character can be represented as a numeric entity. Decimal form: &#decimal; and hexadecimal form: &#xhex;. The Euro sign is € or €. Numeric entities are useful when no named entity exists for a character.
When to Use Entities vs Direct Unicode
In modern HTML with UTF-8 encoding, you can include most Unicode characters directly in your HTML source without entities. The browser interprets them correctly because the document encoding declaration (or meta charset tag) tells it to expect UTF-8.
Named entities are still useful for: the five essential security entities, the non-breaking space, characters that are visually similar to others and might cause confusion in source code, and characters that cannot be typed on a given keyboard.
Using the DevHexLab HTML Entities Reference
Open the tool at /tools/reference/html-entities-reference. Search by character name or browse categories to find the entity code for any character. Use it whenever you need to display special characters correctly in web pages.