HTML Entities Explained: &, , and When to Escape
HTML entities exist because some characters have jobs: a < starts a tag, an & starts an entity, quotes end attributes. Writing those characters as content means escaping them — and decoding badly, or twice, produces the & garbage every developer eventually meets. Here is the system, the five characters that matter, and the bugs.
Open the HTML Entity Encoder / Decoder →
The five characters that must be escaped
Only a handful of characters are structurally meaningful in HTML: < (starts a tag), & (starts an entity), and inside attribute values, " or ' (ends the value). > rides along for symmetry. Writing them as content requires their escaped forms — <, &, ", ', >.
This is not just correctness, it is the security boundary of the web: putting user text into a page without escaping is precisely what cross-site scripting is. A commenter named <script>steal()</script> stays harmless text if escaped and becomes running code if not. Every template engine's auto-escaping does exactly what this tool's encode mode does — the tool is useful when you're the template engine: hand-editing HTML, filling a CMS field that doesn't escape, or preparing code samples for a blog post.
Named, decimal, hex: three spellings, one character
Every entity has a numeric form based on its Unicode codepoint — decimal — or hex — — and a few hundred common characters also have memorable names: —, ©, €. All three render identically; the differences are practical. Named entities are readable in source but only exist for a fixed list (and only in HTML — XML knows just five names, which is why in an RSS feed or SVG breaks the parse; use   there, and see the XML formatter when it does). Numeric forms work for every character everywhere. When in doubt, numeric decimal is the form that never fails.
The reverse lookup is the everyday need: an API hands you It’s here and you want to know what ’ is (a right single quote doing apostrophe duty — codepoint 8217). Paste it in the decoder, or search the reference table; for deeper what-is-this-character forensics, the Unicode inspector names any codepoint.
: the most used and most abused entity
The non-breaking space looks like a space but forbids a line break at its position and never collapses with neighbouring spaces. Its legitimate jobs are typographic: keeping units with their numbers (10 km), keeping initials with surnames, preventing a lonely last word. Its two abuses cause real bugs: layout by (indentation that breaks the moment fonts or widths change — that's CSS's job), and the sneaky one: a pasted invisibly into code or data. Word processors and chat apps emit it freely; a non-breaking space inside a config value or a CSS class name looks identical to a space and matches nothing. If two "identical" strings differ, decode both and look — it's the second most common invisible culprit after the zero-width space.
The &amp; bug: double encoding
Encode Fish & Chips once: Fish & Chips — correct. Encode it again and the & of & gets escaped: Fish &amp; Chips, which renders as the literal text "&". Every layer that "helpfully" escapes without knowing whether the text is already escaped adds one amp; — the visible symptom of stacked template engines, CMS filters and sanitisers each doing the right thing blindly. URLs in feeds are the classic victim (?a=1&b=2 breaking the link).
The discipline mirrors URL encoding's identical bug: store text raw, escape exactly once, at output, by the layer that knows the destination format. To repair damaged text, decode repeatedly until it stops changing — the swap button in the tool makes that a two-click loop — then find which layer was escaping twice and make it stop.
Smart quotes, mojibake, and other lookups
A grab-bag of the searches that end at this page: ‘/’ and “/” are curly "smart" quotes (autocorrect's work — fine in prose, fatal in code samples); – vs — are en and em dashes;  is a byte-order mark that leaked into content (see the CSV guide for where those come from). And if you see ’ where an apostrophe should be, that's not an entity problem at all — it's UTF-8 read as Latin-1, a different disease with a similar rash. Decoding entities won't fix encoding mojibake; knowing which one you have saves an afternoon.
Ready to try it? Open the HTML Entity Encoder / Decoder →