HTML Entity Encoding Cheatsheet: Copy-Paste Codes for & < > and 40+ Characters
A developer quick reference for HTML entity encoding — all three formats for & < > and 40+ named entities, with copy-paste templates for HTML, JSX, and CMS use.
HTML Entity Encoding Cheatsheet: Copy-Paste Codes for &, <, > and 40+ Characters
This is a copy-paste reference, not a tutorial. You know why entities exist. You need the codes — in all three formats — and you need them now.
One orienting fact: the HTML5 specification defines 2,231 named character references (per the WHATWG HTML Living Standard). You'll use about 30 of them regularly. This cheatsheet covers those 30 plus the Big Five you must escape for security.
The Big Five — Mandatory Security Escapes
These five characters must be encoded every time you write untrusted input into HTML. Missing even one opens an XSS vector. XSS has ranked in the OWASP Top 10 every year since the list launched, placing third in the 2021 edition.
| Raw | Named | Decimal | Hex | Context | |-----|-------|---------|-----|---------| | & | & | & | & | Always escape first — starts all entities | | < | < | < | < | Prevents tag injection | | > | > | > | > | Needed in certain injection patterns | | " | " | " | " | Breaks double-quoted attributes | | ' | ' | ' | ' | Breaks single-quoted attributes (' is XML only) |
Order matters: encode & before anything else, or you'll double-encode your own entities.
Real Input/Output Example
I ran this string through a named-entity encoder with "dangerous characters only" scope:
Input:
<script>alert("Hello & goodbye")</script>
Output:
<script>alert("Hello & goodbye")</script>
That output renders as harmless visible text in a browser. A browser parsing the raw input would execute alert(). The HTML Entity Encoder / Decoder runs this transformation locally — paste your string, select "Dangerous only" scope, pick Named format, and copy the result.
Format Cheatsheet: Named vs Decimal vs Hex
All three encode the same character identically from the browser's perspective. Pick based on context:
| Format | When to use it | |--------|---------------| | Named (&) | Default for the Big Five and common symbols — self-documenting | | Decimal (&) | Legacy XML/SGML pipelines that reject non-built-in named entities | | Hex (&) | When you're already working with Unicode code points in your codebase |
Switch between formats using the HTML Entities Encoder — it exposes named, decimal, and hex output in a single toggle, no separate conversion step needed.
Typography Entities — The 20 You'll Actually Use
These appear constantly in CMS content, legal copy, and technical writing:
| Character | Named | Decimal | Code point | |-----------|-------|---------|------------| | non-breaking space | |   | U+00A0 | | © copyright | © | © | U+00A9 | | ® registered | ® | ® | U+00AE | | ™ trademark | ™ | ™ | U+2122 | | — em dash | — | — | U+2014 | | – en dash | – | – | U+2013 | | … ellipsis | … | … | U+2026 | | " left double quote | “ | “ | U+201C | | " right double quote | ” | ” | U+201D | | ' left single quote | ‘ | ‘ | U+2018 | | ' right single quote / apostrophe | ’ | ’ | U+2019 | | « left guillemet | « | « | U+00AB | | » right guillemet | » | » | U+00BB | | • bullet | • | • | U+2022 | | · middle dot | · | · | U+00B7 | | § section sign | § | § | U+00A7 | | ¶ pilcrow | ¶ | ¶ | U+00B6 | | † dagger | † | † | U+2020 | | ‡ double dagger | ‡ | ‡ | U+2021 | | ¿ inverted question | ¿ | ¿ | U+00BF |
Math and Currency Entities
| Character | Named | Decimal | |-----------|-------|---------| | € euro | € | € | | £ pound | £ | £ | | ¥ yen/yuan | ¥ | ¥ | | ¢ cent | ¢ | ¢ | | × multiply | × | × | | ÷ divide | ÷ | ÷ | | ± plus-minus | ± | ± | | ≠ not equal | ≠ | ≠ | | ≤ less or equal | ≤ | ≤ | | ≥ greater or equal | ≥ | ≥ | | ∞ infinity | ∞ | ∞ | | √ square root | √ | √ | | ∑ sum | ∑ | ∑ | | π pi | π | π | | ° degree | ° | ° | | ½ one-half | ½ | ½ | | ¼ one-quarter | ¼ | ¼ |
Copy-Paste Templates for Common Contexts
Plain HTML — attribute with user content
<input value="<user input here>" type="text">
<p class="note">&mdash; is the entity for an em dash</p>
Legal/copyright footer
<footer>
<p>Copyright © 2024 Acme Corp. All rights reserved.®</p>
<p>Prices shown in USD—taxes not included.</p>
</footer>
Typography in a CMS paragraph
<p>Press the key combination Ctrl&C to copy—or use
Ctrl&V to paste. The shortcut doesn’t work in all terminals.</p>
Displaying code with angle brackets
<pre><code><div class="container">
<p>Hello world</p>
</div></code></pre>
When Entity Encoding Is Not Enough
Entity encoding protects text content and quoted attribute values. Three contexts need extra handling:
href values: href="javascript:alert(1)" contains no unencoded Big Five characters yet executes JavaScript. Always validate the URL scheme — reject javascript:, data:, vbscript: — before writing user input into href.
Inline event handlers: onclick="doThing('...')" requires both HTML entity encoding (to protect the attribute quote) and JavaScript string escaping inside the event handler. If the content is user-supplied, replace onclick with a data-* attribute plus an event listener.
Template literals and JSON: when user input moves into a <script> block or a JSON value embedded in HTML, entity encoding is wrong — </script> encoded as </script> is still rendered as </script> inside a script context. Use JavaScript-string escaping (backslash sequences) for script context, not entity encoding.
The String Escape Tool handles JSON string escaping, JavaScript string escaping, and regex escaping in one place — useful when the same value must survive multiple encoding layers in sequence.
Quick Diagnostic: Which Format Do I Need?
Is the value going into HTML text content or a quoted attribute?
→ Yes → Entity encode the Big Five (use named format for readability)
→ No, it's going into a JavaScript string inside <script>
→ Use JS string escaping (\n, \", \\, &)
→ No, it's going into href=
→ Validate the scheme first; URL-encode the path/query; entity-encode the whole URL for the attribute
→ No, it's going into onclick= or similar
→ JS-escape the content, then entity-encode the result for the attribute context
I keep a copy of this decision tree in a team wiki and paste it into onboarding docs. Four years of code reviews have convinced me it prevents more XSS questions than any longer document.
Made by Toolora · Updated 2026-06-28