How do you encode the less-than sign in HTML?

Use < to display a literal < in HTML. Without this encoding, the browser interprets < as the start of an HTML tag, which can break your page layout or create XSS vulnerabilities.

How to Encode < in HTML

Q: How do you encode the less-than sign in HTML?

Use < to display a literal < in HTML. Without this encoding, the browser interprets < as the start of an HTML tag, which can break your page layout or create XSS vulnerabilities.

The less-than sign < in HTML becomes <. Without this encoding, the browser interprets < as the start of an HTML tag. This can break your page layout and, more critically, create cross-site scripting (XSS) vulnerabilities if user input contains <script> tags.

Essential HTML Entities

Character	Entity	Numeric	Description
`<`	`<`	`<`	Less-than
`>`	`>`	`>`	Greater-than
`&`	`&`	`&`	Ampersand
`"`	`"`	`"`	Double quote
`'`	`'`	`'`	Single quote

Code Examples

JavaScript

// Safe: use textContent (auto-escapes)
element.textContent = '<script>alert("xss")</script>';

// Manual escaping
function escapeHTML(str) {
  return str.replace(/&/g, '&amp;')
            .replace(/</g, '&lt;')
            .replace(/>/g, '&gt;')
            .replace(/"/g, '&quot;');
}

Python

import html
html.escape('<script>')
# '&lt;script&gt;'

Try It Yourself

Use our HTML Entity Encode & Decode tool to encode any text for safe HTML display.

Frequently Asked Questions

What are the most common HTML entities?

The five essential HTML entities are: < for <, > for >, & for &, " for double quotes, and ' for single quotes.

Why is HTML encoding important for security?

Without proper encoding, user-supplied input containing <script> tags will execute as JavaScript in other users' browsers. This is called cross-site scripting (XSS) and is one of the most common web vulnerabilities.

Built by Michael Lip. 100% client-side — no data leaves your browser.