| Char | Entity Name | Numeric | Description |
|---|---|---|---|
| & | & | & | Ampersand |
| < | < | < | Less than |
| > | > | > | Greater than |
| " | " | " | Double quote |
| ' | ' | ' | Single quote |
| |   | Non-breaking space | |
| © | © | © | Copyright |
| ® | ® | ® | Registered |
| ™ | ™ | ™ | Trademark |
| — | — | — | Em dash |
HTML parsers interpret characters like <, >, and & as markup syntax. To display them literally, they must be escaped.
Encoding uses a hidden <div> element — setting textContent automatically escapes all special chars via the browser's built-in HTML serializer.
Decoding does the reverse — setting innerHTML then reading textContent has the browser parse entities back to their actual characters.
This technique is critical for preventing XSS attacks — always encode user-supplied data before inserting it into HTML!