Type a literal < or & directly into an HTML page's content and a browser will try to interpret it as markup rather than display it as text. This tool HTML-encodes special characters so they render exactly as written.
Why displaying certain characters as text requires special handling
HTML's markup syntax relies on a small set of characters — most importantly <, > and & — to delimit tags and entities, which creates an inherent ambiguity: if a document's actual text content needs to include a literal less-than sign (say, in a mathematical expression or a code snippet), the browser needs some way to distinguish "this is a real tag" from "this is text that happens to look like a tag." HTML's solution, inherited from its SGML ancestry, is character entity references — reserved escape sequences like < for a literal < — that unambiguously represent a specific character as content rather than as markup syntax.
What HTML encoding does
The tool replaces HTML-significant characters with their corresponding named or numeric character entities: < becomes <, > becomes >, & becomes &, and quotation marks become " or ' — a small, well-defined set of substitutions that guarantee the encoded text will display literally rather than being misinterpreted as markup or, critically, executable script.
Where HTML encoding is essential, not just convenient
- Displaying user-generated content safely — any web application that shows text submitted by users (comments, usernames, form input) must HTML-encode it before rendering, or risk a cross-site scripting (XSS) vulnerability where an attacker's malicious
<script>tag executes in another user's browser. - Showing code snippets on a webpage — technical documentation and tutorials that display literal HTML, XML or code containing angle brackets need those characters encoded so they render as visible text rather than being parsed as actual markup.
- Embedding text within HTML attributes — dynamic values placed inside an attribute (like a title or alt text) need proper encoding to avoid accidentally breaking out of the attribute's quotation marks.
- RSS and Atom feed content — syndicated feed content, being XML-based, requires the same fundamental character encoding discipline as HTML to avoid malformed or misinterpreted feed data.
Frequently asked questions
Is HTML encoding actually a security measure? Yes, critically — proper output encoding is one of the fundamental defenses against cross-site scripting (XSS), one of the most common and long-standing web application vulnerability categories, consistently featured in security guidance like the OWASP Top 10; failing to encode user-submitted content before displaying it is a textbook XSS vulnerability.
What's the difference between named entities and numeric entities? Named entities (like &) are more human-readable shorthand for common characters, while numeric entities (like &, referencing the same ampersand by its Unicode code point) work for any character, including ones without a dedicated named entity — both are functionally equivalent to a browser.
Do I need to encode every character, or just the special ones? Just the handful of characters that have structural meaning in HTML (primarily <, >, &, and quotation marks in attribute contexts) — encoding ordinary letters, numbers and most punctuation is unnecessary, since they carry no special meaning to an HTML parser.
Further reading
OWASP — Cross-Site Scripting (XSS) — Why output encoding, including HTML entity encoding, is a core defense against XSS attacks.
MDN — Entity — Reference for HTML character entities and when they're required.