Home/Glossary/HTML Entity Encoding

HTML Entity Encoding

A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.

Web SecurityAlso called: "html entities", "html escaping"

HTML encoding converts special characters into entities to display them safely.

Common entities

  • < : < (less than).
  • > : > (greater than).
  • & : & (ampersand).
  • " : " (quote).
  • ' : ' (apostrophe).
  •   : Non-breaking space.

Why encode?

  • Prevent browsers from interpreting characters as HTML tags.
  • Display reserved characters literally.
  • Prevent cross-site scripting (XSS) attacks.
  • Properly render special and international characters.

Numeric encoding

  • Decimal: < (< symbol).
  • Hexadecimal: < (< symbol).

Security use

  • Essential for preventing XSS when displaying user input.
  • Encode all untrusted data before inserting into HTML.

Related Tools

Related Articles

View all articles
HTML Encoder/Decoder

HTML Encoder/Decoder

Encode and decode HTML entities for safe display in web pages with special character handling

Read article →
Webhook Security Implementation Workflow

Webhook Security Implementation Workflow

Master the complete webhook security implementation workflow used by backend engineers and API developers. This comprehensive guide covers HMAC signature validation, replay attack prevention, IP allowlisting, payload sanitization, and error handling aligned to OWASP API Security Top 10 2023.

Read article →
How Do I Encode HTML in JavaScript and Other Programming Languages?

How Do I Encode HTML in JavaScript and Other Programming Languages?

Learn the proper methods and best practices for encoding HTML across JavaScript, Python, PHP, and other popular programming languages to prevent XSS attacks.

Read article →
How Do I Safely Parse Untrusted JSON?

How Do I Safely Parse Untrusted JSON?

Learn secure techniques for parsing JSON from untrusted sources while preventing injection attacks, data corruption, and security vulnerabilities.

Read article →

Explore More Web Security

View all terms

CORS (Cross-Origin Resource Sharing)

A browser security mechanism that controls how web pages can request resources from different domains, preventing unauthorized cross-site data access.

Read more →

Cross-Site Request Forgery (CSRF)

An attack that tricks a victim into submitting unauthorized requests using their authenticated session.

Read more →

Cross-Site Scripting (XSS)

A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

Read more →

HTTP Cookie

Small pieces of data stored by web browsers, used for session management, personalization, and tracking.

Read more →

HTTP Security Headers

Response headers that enable browser security protections against common web attacks.

Read more →

JSON Web Token (JWT)

A compact, URL-safe token format used to securely transmit claims between parties in web applications.

Read more →
Back to glossary