Product
Introducing Socket Fix for Safe, Automated Dependency Upgrades
Automatically fix and test dependency updates with socket fix—a new CLI tool that turns CVE alerts into safe, automated upgrades.
By John-David Dalton - Apr 25, 2025
🚀 Socket Launch Week 🚀 Day 5: Introducing Socket Fix.Learn More →
html-entities
Advanced tools
What is html-entities?
The html-entities package is a utility for encoding and decoding HTML entities. It can encode and decode a wide range of characters, including special characters, symbols, and emojis, to their corresponding HTML entities and vice versa. This is useful for preventing XSS attacks, rendering special characters in web pages, and working with text that includes characters that need to be escaped in HTML.
What are html-entities's main functionalities?
Encode special characters to HTML entities
This feature allows you to convert characters that have special meaning in HTML into their corresponding entities, making it safe to insert the text into HTML documents.
const { encode } = require('html-entities');
const result = encode('<div>Hello & Welcome!</div>');
console.log(result); // <div>Hello & Welcome!</div>Decode HTML entities to their original characters
This feature enables you to convert HTML entities back into their original characters, which is useful when you need to process or display the text as it was originally intended.
const { decode } = require('html-entities');
const result = decode('<div>Hello & Welcome!</div>');
console.log(result); // <div>Hello & Welcome!</div>Support for all HTML5 entities
The package includes support for all named HTML5 entities, allowing you to encode and decode a comprehensive set of characters.
const { encode } = require('html-entities');
const result = encode('© ∆');
console.log(result); // © ΔHandling of non-ASCII characters
This feature is specifically for encoding non-ASCII characters into their numerical HTML entity equivalents, which can be important for internationalization and dealing with various character sets.
const { encodeNonAsciiHTML } = require('html-entities');
const result = encodeNonAsciiHTML('Привет!');
console.log(result); // Привет!Other packages similar to html-entities
he
The 'he' package is an HTML entity encoder/decoder written in JavaScript. It is robust and handles a large number of character references. Compared to html-entities, 'he' claims to be the fastest and most comprehensive HTML entity library, and it strictly adheres to the HTML5 specification.
entities
The 'entities' package is another library for encoding and decoding HTML entities. It is used internally by the 'htmlparser2' library, which is a fast and forgiving HTML/XML parser. While 'entities' offers similar functionality to html-entities, it is particularly optimized for use with 'htmlparser2' and may be more suitable for parsing tasks.
html-entities
Fastest HTML entities library.
Comes with both TypeScript and Flow types.
Installation
$ npm install html-entities
Usage
encode(text, options)
Encodes text replacing HTML special characters (<>&"') and/or other character ranges depending on mode option value.
import {encode} from 'html-entities';
encode('< > " \' & © ∆');
// -> '< > " ' & © ∆'
encode('< ©', {mode: 'nonAsciiPrintable'});
// -> '< ©'
encode('< ©', {mode: 'nonAsciiPrintable', level: 'xml'});
// -> '< ©'
encode('< > " \' & ©', {mode: 'nonAsciiPrintableOnly', level: 'xml'});
// -> '< > " \' & ©'
Options:
level
allalias tohtml5(default).html5usesHTML5named references.html4usesHTML4named references.xmlusesXMLnamed references.
mode
specialCharsencodes only HTML special characters (default).nonAsciiencodes HTML special characters and everything outside the ASCII character range.nonAsciiPrintableencodes HTML special characters and everything outiside of the ASCII printable characters.nonAsciiPrintableOnlyeverything outiside of the ASCII printable characters keeping HTML special characters intact.extensiveencodes all non-printable characters, non-ASCII characters and all characters with named references.
numeric
decimaluses decimal numbers when encoding html entities. i.e.©(default).hexadecimaluses hexadecimal numbers when encoding html entities. i.e.©.
decode(text, options)
Decodes text replacing entities to characters. Unknown entities are left as is.
import {decode} from 'html-entities';
decode('< > " ' & © ∆');
// -> '< > " \' & © ∆'
decode('©', {level: 'html5'});
// -> '©'
decode('©', {level: 'xml'});
// -> '©'
Options:
level
allalias tohtml5(default).html5usesHTML5named references.html4usesHTML4named references.xmlusesXMLnamed references.
scope
bodyemulates behavior of browser when parsing tag bodies: entities without semicolon are also replaced (default).attributeemulates behavior of browser when parsing tag attributes: entities without semicolon are replaced when not followed by equality sign=.strictignores entities without semicolon.
decodeEntity(text, options)
Decodes a single HTML entity. Unknown entitiy is left as is.
import {decodeEntity} from 'html-entities';
decodeEntity('<');
// -> '<'
decodeEntity('©', {level: 'html5'});
// -> '©'
decodeEntity('©', {level: 'xml'});
// -> '©'
Options:
level
allalias tohtml5(default).html5usesHTML5named references.html4usesHTML4named references.xmlusesXMLnamed references.
Performance
Statistically significant comparison with other libraries using benchmark.js.
Results by this library are marked with *.
The source code of the benchmark is available at benchmark/benchmark.ts.
Common
Initialization / Load speed
#1: he x 516 ops/sec ±5.71% (78 runs sampled)
* #2: html-entities x 407 ops/sec ±5.64% (81 runs sampled)
#3: entities x 352 ops/sec ±4.16% (80 runs sampled)
HTML5
Encode test
* #1: html-entities.encode - html5, extensive x 437,236 ops/sec ±0.90% (98 runs sampled)
#2: entities.encodeHTML x 335,714 ops/sec ±0.87% (92 runs sampled)
Encode non-ASCII test
* #1: html-entities.encode - html5, nonAscii x 749,246 ops/sec ±0.61% (96 runs sampled)
#2: entities.encodeNonAsciiHTML x 706,984 ops/sec ±1.06% (98 runs sampled)
* #3: html-entities.encode - html5, nonAsciiPrintable x 691,193 ops/sec ±4.47% (90 runs sampled)
#4: he.encode x 141,105 ops/sec ±0.87% (92 runs sampled)
Decode test
#1: entities.decodeHTML x 678,595 ops/sec ±1.28% (92 runs sampled)
#2: entities.decodeHTMLStrict x 684,372 ops/sec ±2.76% (82 runs sampled)
* #3: html-entities.decode - html5, strict x 485,664 ops/sec ±0.80% (94 runs sampled)
* #4: html-entities.decode - html5, body x 463,074 ops/sec ±1.11% (93 runs sampled)
* #5: html-entities.decode - html5, attribute x 456,185 ops/sec ±2.24% (91 runs sampled)
#6: he.decode x 302,668 ops/sec ±2.73% (90 runs sampled)
HTML4
Encode test
* #1: html-entities.encode - html4, nonAscii x 737,475 ops/sec ±1.04% (95 runs sampled)
* #2: html-entities.encode - html4, nonAsciiPrintable x 649,866 ops/sec ±4.28% (79 runs sampled)
* #3: html-entities.encode - html4, extensive x 202,337 ops/sec ±3.66% (64 runs sampled)
Decode test
* #1: html-entities.decode - html4, attribute x 529,674 ops/sec ±0.90% (90 runs sampled)
* #2: html-entities.decode - html4, body x 499,135 ops/sec ±2.27% (80 runs sampled)
* #3: html-entities.decode - html4, strict x 489,806 ops/sec ±4.37% (84 runs sampled)
XML
Encode test
* #1: html-entities.encode - xml, nonAscii x 823,097 ops/sec ±0.75% (81 runs sampled)
* #2: html-entities.encode - xml, nonAsciiPrintable x 764,638 ops/sec ±0.93% (93 runs sampled)
#3: entities.encodeXML x 672,186 ops/sec ±1.51% (92 runs sampled)
* #4: html-entities.encode - xml, extensive x 376,870 ops/sec ±0.76% (77 runs sampled)
Decode test
#1: entities.decodeXML x 930,758 ops/sec ±2.90% (90 runs sampled)
* #2: html-entities.decode - xml, body x 617,321 ops/sec ±0.74% (83 runs sampled)
* #3: html-entities.decode - xml, attribute x 611,598 ops/sec ±0.50% (92 runs sampled)
* #4: html-entities.decode - xml, strict x 607,191 ops/sec ±2.30% (85 runs sampled)
Escaping
Escape test
#1: entities.escapeUTF8 x 1,930,874 ops/sec ±0.80% (95 runs sampled)
#2: he.escape x 1,717,522 ops/sec ±0.75% (84 runs sampled)
* #3: html-entities.encode - xml, specialChars x 1,611,374 ops/sec ±1.30% (92 runs sampled)
#4: entities.escape x 673,710 ops/sec ±1.30% (94 runs sampled)
License
MIT
Security contact information
To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.
html-entities for enterprise
Available as part of the Tidelift Subscription
The maintainers of html-entities and thousands of other packages are working with
Tidelift to deliver commercial support and maintenance for the open source
dependencies you use to build your applications. Save time, reduce risk, and
improve code health, while paying the maintainers of the exact dependencies you
use.
Learn more.
2.6.0 (2025-03-30)
Features
2.5.6 (2025-03-30)
Bug Fixes
- significantly reduce package size (72c7819)
2.5.5 (2025-03-28)
Bug Fixes
- incorrect typescript dependency (adb6176)
2.5.4 (2025-03-28)
Bug Fixes
2.5.3 (2025-03-23)
Bug Fixes
- improve encoding performance (f4d14e2)
2.5.0
- Include source maps into the npm package.
2.4.0
- Introduce
nonAsciiPrintableOnlymode.
2.3.5
- Reduce unnecessarily long RegExps.
2.3.4
- Fix the problem decoding HTML5 entities those names are part of HTML4 entities.
2.3.3
package.json: specifysideEffects: false
2.3.2
- Minimize data files, remove unnecessary files.
2.3.1
- Improve performance of
encode(),decode()anddecodeEntity()by using function inlining. - Fix decoding HEX HTML entities in some cases.
2.3.0
- Add flow types.
2.2.0
- A fast
decodeEntity()method to decode a single HTML entity.
2.1.1
- Speed up both
encode()anddecode()methods.
2.1.0
- Add
extensivemode toencode()method. This mode encodes all non-printable characters, non-ASCII characters and all characters with named references.
2.0.6
- Handle invalid numeric HTML entities: mimic browser behaviour.
2.0.5
- Handling behaviour of ambiguous ampersands.
2.0.4
- Fix webpack build warning.
2.0.3
- Handle invalid numeric HTML entities.
2.0.2
- Handle
nullandundefinedtext values.
2.0.1
- Fix decoding numeric HTML entities.
2.0.0
-
Performance was greatly improved.
-
New API: simpler and more flexible.
htmlEntitiesInstance.encode(text)->encode(text)Before:
import {AllHtmlEntities} from 'html-entities'; const entities = new AllHtmlEntities(); console.log( entities.encode('<Hello & World>') );After:
import {encode} from 'html-entities'; console.log( encode('<Hello & World>') );instance.encodeNonASCII(text)->encode(text, {mode: 'nonAscii'})Before:
import {AllHtmlEntities} from 'html-entities'; const entities = new AllHtmlEntities(); console.log( entities.encodeNonASCII('& © ∆') );After:
import {encode} from 'html-entities'; console.log( encode('& © ∆', {mode: 'nonAscii'}) );instance.encodeNonASCII(text)->encode(text, {mode: 'nonAsciiPrintable'})Before:
import {AllHtmlEntities} from 'html-entities'; const entities = new AllHtmlEntities(); console.log( entities.encodeNonASCII('& © ∆ \x01') );After:
import {encode} from 'html-entities'; console.log( encode('& © ∆ \x01', {mode: 'nonAsciiPrintable'}) );instance.decode(text)->decode(text)Before:
import {AllHtmlEntities} from 'html-entities'; const entities = new AllHtmlEntities(); console.log( entities.decode('<>&') );After:
import {decode} from 'html-entities'; console.log( decode('<>&') );Different XML/HTML versions are now implemented via options instead of different classes.
Before:
import {XmlEntities, Html4Entities, Html5Entities, AllHtmlEntities} from 'html-entities'; const xmlEntities = new XmlEntities(); const html4Entities = new Html4Entities(); const html5Entities = new Html5Entities(); const allHtmlEntities = new AllHtmlEntities(); console.log(xmlEntities.encode('<>&')); console.log(html4Entities.encode('<>&©')); console.log(html5Entities.encode('<>&©℞')); console.log(allHtmlEntities.encode('<>&©℞')); console.log(xmlEntities.decode('<>&')); console.log(html4Entities.decode('<>&©')); console.log(html5Entities.decode('<>&©℞')); console.log(allHtmlEntities.decode('<>&©℞'));After:
import {encode, decode} from 'html-entities'; console.log(encode('<>&', {level: 'xml'})); console.log(encode('<>&©', {level: 'html4', mode: 'nonAscii'})); console.log(encode('<>&©℞', {level: 'html5', mode: 'nonAscii'})); console.log(encode('<>&©℞', {level: 'all', mode: 'nonAscii'})); console.log(decode('<>&', {level: 'xml'})); console.log(decode('<>&©', {level: 'html4'})); console.log(decode('<>&©℞', {level: 'html5'})); console.log(decode('<>&©℞', {level: 'all'}));
FAQs
Fastest HTML entities encode/decode library.
The npm package html-entities receives a total of 15,440,023 weekly downloads. As such, html-entities popularity was classified as popular.
We found that html-entities demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 30 Mar 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
CISA Rebuffs Funding Concerns as CVE Foundation Draws Criticism
CISA denies CVE funding issues amid backlash over a new CVE foundation formed by board members, raising concerns about transparency and program governance.
By Sarah Gooding - Apr 24, 2025
Product
Introducing Historical Analytics – Now in Beta
We’re excited to announce a powerful new capability in Socket: historical data and enhanced analytics.
By Phil Gates-Idem - Apr 24, 2025