HTML Entities Cheat Sheet
A practical reference for HTML entity references — the special character codes you use to embed reserved characters, symbols, currency signs, arrows, math notation, and Greek letters in HTML. Each entry shows the rendered character, the named form, and the numeric form. Use the HTML entity encoder/decoder to convert any text in either direction.
The Five You Must Escape
These are the only characters that break HTML if left raw, plus the quote characters that break attribute values. Every templating engine escapes these by default. Always escape them when inserting user-supplied content into HTML by hand.
| Character | Named | Numeric | Hex | Why |
|---|---|---|---|---|
| & | & | & | & | Starts every entity reference |
| < | < | < | < | Opens HTML tags |
| > | > | > | > | Closes HTML tags |
| " | " | " | " | Closes double-quoted attributes |
| ' | ' | ' | ' | Closes single-quoted attributes |
Note on the apostrophe: the named form ' is part of XML and HTML5 but not HTML4. ' works everywhere and is the safer choice for output.
Whitespace and Punctuation
| Character | Named | Numeric | Description |
|---|---|---|---|
|   | Non-breaking space | |
  |   | En space (½ em wide) | |
  |   | Em space (1 em wide) | |
  |   | Thin space | |
| … | … | … | Horizontal ellipsis |
| – | – | – | En dash (use for ranges) |
| — | — | — | Em dash (use for breaks in prose) |
| “ | “ | “ | Left double quote |
| ” | ” | ” | Right double quote |
| ‘ | ‘ | ‘ | Left single quote |
| ’ | ’ | ’ | Right single quote / apostrophe |
| « | « | « | Left guillemet |
| » | » | » | Right guillemet |
Common Symbols
| Character | Named | Numeric | Description |
|---|---|---|---|
| © | © | © | Copyright |
| ® | ® | ® | Registered trademark |
| ™ | ™ | ™ | Trademark |
| § | § | § | Section sign |
| ¶ | ¶ | ¶ | Pilcrow / paragraph mark |
| † | † | † | Dagger |
| ‡ | ‡ | ‡ | Double dagger |
| ° | ° | ° | Degree |
| · | · | · | Middle dot |
| • | • | • | Bullet |
| ¡ | ¡ | ¡ | Inverted exclamation |
| ¿ | ¿ | ¿ | Inverted question mark |
Currency
| Character | Named | Numeric | Description |
|---|---|---|---|
| $ | $ | $ | Dollar (US) |
| ¢ | ¢ | ¢ | Cent |
| £ | £ | £ | Pound sterling |
| € | € | € | Euro |
| ¥ | ¥ | ¥ | Yen / Yuan |
| ₹ | — | ₹ | Indian rupee |
| ₱ | — | ₱ | Philippine peso |
| ₽ | — | ₽ | Russian ruble |
| ₿ | — | ₿ | Bitcoin |
| ¤ | ¤ | ¤ | Generic currency symbol |
Arrows
| Character | Named | Numeric | Description |
|---|---|---|---|
| ← | ← | ← | Left arrow |
| → | → | → | Right arrow |
| ↑ | ↑ | ↑ | Up arrow |
| ↓ | ↓ | ↓ | Down arrow |
| ↔ | ↔ | ↔ | Left-right arrow |
| ⇐ | ⇐ | ⇐ | Double left arrow |
| ⇒ | ⇒ | ⇒ | Double right arrow / implies |
| ⇔ | ⇔ | ⇔ | Double left-right / iff |
Math Symbols
| Character | Named | Numeric | Description |
|---|---|---|---|
| × | × | × | Multiplication |
| ÷ | ÷ | ÷ | Division |
| ± | ± | ± | Plus-minus |
| − | − | − | Minus (true minus, not hyphen) |
| ≠ | ≠ | ≠ | Not equal |
| ≤ | ≤ | ≤ | Less than or equal |
| ≥ | ≥ | ≥ | Greater than or equal |
| ≈ | ≈ | ≈ | Approximately equal |
| ≡ | ≡ | ≡ | Identical / equivalent |
| ∞ | ∞ | ∞ | Infinity |
| √ | √ | √ | Square root |
| ∑ | ∑ | ∑ | Summation |
| ∏ | ∏ | ∏ | Product |
| ∂ | ∂ | ∂ | Partial differential |
| ∫ | ∫ | ∫ | Integral |
| ‰ | ‰ | ‰ | Per mille (per thousand) |
| ½ | ½ | ½ | One half |
| ¼ | ¼ | ¼ | One quarter |
| ¾ | ¾ | ¾ | Three quarters |
Greek Letters (Common in Math & Science)
| Character | Named | Numeric | Description |
|---|---|---|---|
| α | α | α | Alpha (lowercase) |
| β | β | β | Beta |
| γ | γ | γ | Gamma |
| δ | δ | δ | Delta (lowercase) |
| Δ | Δ | Δ | Delta (uppercase, used for "change in") |
| ε | ε | ε | Epsilon |
| θ | θ | θ | Theta |
| λ | λ | λ | Lambda |
| μ | μ | μ | Mu (used for micro-) |
| π | π | π | Pi |
| σ | σ | σ | Sigma (lowercase) |
| Σ | Σ | Σ | Sigma (uppercase) |
| φ | φ | φ | Phi |
| ω | ω | ω | Omega (lowercase) |
| Ω | Ω | Ω | Omega (uppercase, used for ohms) |
Named, Numeric, and Hex — All Three Forms
Every entity can be written three ways. They all render to the same character:
© <!-- named: most readable -->
© <!-- decimal numeric: works for any code point -->
© <!-- hex numeric: works for any code point -->Use named entities when one exists — they're easier to read. Use numeric or hex for characters without a named form, or for any character above U+FFFF (where the hex form is the only practical option).
For characters with no named form, the numeric form is generated from the Unicode code point. The trumpet 🎺 has code point U+1F3BA — write it as 🎺 (decimal 127930) or 🎺 (hex). Both render as 🎺.
When You Actually Need Entities
Modern HTML is UTF-8 by default. You can write ©, €, α, and → directly in your source files, and they render correctly. Entities are required only in three situations:
- Reserved characters: the five must-escape ones (
&,<,>,",') need entities to avoid breaking the markup or attribute parsing. - Invisible characters: non-breaking spaces (
), thin spaces, zero-width joiners. Easier to read in source as named entities than as raw whitespace you can't see. - Output to non-UTF-8 contexts: if your HTML is being served as anything other than UTF-8, or processed by a tool that mangles non-ASCII, entities sidestep the encoding problem.
Outside those cases, just type the character. The web has been UTF-8 by default since 2010 and the HTML5 spec mandates UTF-8 for all new documents.
Escape User Input — Always
The most important use of entities is escaping user-supplied content to prevent XSS. Any string that came from outside your code — a form input, a URL parameter, a database row originally written by a user, an API response — must be entity-escaped before being embedded in HTML.
// JavaScript — escape the five must-escape characters
function escape(s) {
return s.replace(/[&<>"']/g, c => ({
'&':'&', '<':'<', '>':'>', '"':'"', "'":'''
}[c]));
}
// Python — html.escape from the standard library
import html
html.escape(user_input, quote=True)Modern templating engines (React, Vue, Svelte, Jinja, ERB, Razor) escape by default and require an explicit opt-out (v-html, {{!}}, raw, etc.) to render unescaped HTML. Use those defaults; only opt out when you've already sanitized the input with a library like DOMPurify.
If you're escaping by hand for any reason, the HTML entity encoder/decoder handles both directions in your browser.
Encode and Decode
The HTML entity encoder/decoder converts arbitrary text in either direction — useful for cleaning up data scraped from web pages or preparing strings to embed safely in HTML. For escaping JavaScript embedded in HTML, see the JavaScript escaping section above; for URL-safe encoding, the URL encoder/decoder handles percent-encoding.
Frequently Asked Questions
Which HTML entities must I always escape?
Five characters are mandatory to escape in HTML to prevent breaking the markup or opening XSS holes: ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote (' or '). Always escape all five when inserting user-supplied content into HTML. Most templating engines (React, Vue, Jinja, ERB) escape these by default — escape manually only when you opt out of escaping or when building strings by hand.
What is the difference between named, numeric, and hex HTML entities?
Named entities use mnemonic names like © for the copyright symbol. Numeric entities use the decimal Unicode code point like ©. Hex entities use the hexadecimal code point like ©. All three render identically. Named entities are easier to read but only ~250 are standardized, while numeric and hex work for any Unicode character. For obscure characters, numeric or hex is required; for common ones, named is more readable.
Do I need to escape characters in HTML attribute values?
Yes — attribute values need at minimum the matching quote character escaped. If the attribute uses double quotes, escape any double quotes in the value as " or use ". Same with single quotes. Ampersand should also be escaped to & to prevent ambiguity with entity references. Less-than and greater-than are technically allowed unescaped in attributes but escaping them is safer and more portable.
Should I escape characters in JavaScript strings inside HTML?
Inside a script tag, HTML entity escaping does NOT apply — the JavaScript parser sees the raw characters. The dangerous sequence inside a script is the literal closing-tag bytes that match the parent script element, which can appear if user input contains that string. Two safe approaches: encode any forward slashes inside string literals using a Unicode escape, or pass user data via JSON in a data attribute and parse it with JSON.parse at runtime. Mixing HTML escaping and JavaScript escaping in the same context is where most XSS bugs live.
Which entities work in XML and SVG?
XML defines only five named entities: &, <, >, ", and '. All other named entities like © or will cause an XML parse error unless declared in a DTD. Numeric and hex entities (©, ©) work in any XML document. SVG, being XML-based, follows the same rule. When generating SVG inside HTML, named entities work because the document is parsed as HTML; in standalone .svg files served as image/svg+xml, only the five XML entities are safe — use numeric or hex for everything else.