entities vs he vs html-entities vs sanitize-html
HTML Entity Encoding, Decoding, and Sanitization in JavaScript
Search packages..
entitieshehtml-entitiessanitize-htmlSimilar Packages:

HTML Entity Encoding, Decoding, and Sanitization in JavaScript

entities, he, html-entities, and sanitize-html are widely used npm packages for handling HTML content in JavaScript applications. All four address aspects of working with HTML strings — specifically encoding or decoding HTML entities (like converting & to & or vice versa). However, they differ significantly in scope: entities, he, and html-entities focus exclusively on low-level entity transformations, while sanitize-html is a higher-level security tool that removes dangerous HTML to prevent XSS attacks, using entity decoding as part of its process. These libraries are essential when rendering user-generated content, processing rich text, or interfacing with APIs that return escaped HTML.

Npm Package Weekly Downloads Trend

3 Years

Github Stars Ranking

Stat Detail

Package
Downloads
Stars
Size
Issues
Publish
License
entities0375392 kB7a month agoBSD-2-Clause
he03,665-237 years agoMIT
html-entities0687132 kB6a year agoMIT
sanitize-html04,53069.8 kB13213 days agoMIT

Handling HTML Entities and Sanitization: entities vs he vs html-entities vs sanitize-html

When working with HTML strings in JavaScript — whether rendering user content, parsing RSS feeds, or building static site generators — you’ll inevitably face two related but distinct problems: (1) correctly converting between raw characters and their escaped HTML entity forms (e.g., &&), and (2) safely displaying untrusted HTML without exposing your app to XSS attacks. The packages entities, he, html-entities, and sanitize-html all touch this space, but they solve different layers of the problem. Let’s break down what each does, how they work, and when to use which.

🔤 Core Functionality: What Each Package Actually Does

entities: Low-Level, Spec-Aware Entity Conversion

entities is a minimal, zero-dependency library built for speed and correctness in entity encoding and decoding. It doesn’t pretend to be a sanitizer — it only handles the conversion between plain text and HTML/XML entities. It supports both named (©) and numeric (©) references and lets you choose decoding modes (strict, loose, etc.).

// Using entities
import { encode, decode } from 'entities';

const encoded = encode('AT&T > 5 & < 10');
// Result: 'AT&amp;T &gt; 5 &amp; &lt; 10'

const decoded = decode('&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;');
// Result: '<script>alert("xss")</script>'

Note: This does not remove the <script> tag — it only decodes entities. That’s intentional.

he: HTML5-Compliant Entity Handling

he (short for “HTML Entities”) strictly implements the HTML5 specification for entity parsing. It’s battle-tested and used in projects like Markdown parsers where spec compliance matters. Like entities, it only encodes/decodes — no sanitization.

// Using he
import { encode, decode } from 'he';

const encoded = encode('foo © bar ≠ baz 𝌆 qux');
// Result: 'foo &#xA9; bar &#x2260; baz &#x1D306; qux'

const decoded = decode('&lt;img src=x onerror=alert(1)&gt;');
// Result: '<img src=x onerror=alert(1)>'

Again, dangerous HTML remains intact — he assumes you’ll handle security separately.

html-entities: Class-Based API with Multiple Standards

html-entities takes a more object-oriented approach. You instantiate encoders/decoders for specific standards (HTML4, HTML5, XML), which is handy if your app deals with mixed document types.

// Using html-entities
import { Html5Entities } from 'html-entities';

const entities = new Html5Entities();

const encoded = entities.encode('5 > 3 & 2 < 4');
// Result: '5 &gt; 3 &amp; 2 &lt; 4'

const decoded = entities.decode('&lt;div onclick="steal()"&gt;Click me&lt;/div&gt;');
// Result: '<div onclick="steal()">Click me</div>'

The class-based design allows reuse with consistent settings, but adds slight overhead compared to function-based alternatives.

sanitize-html: Security-First HTML Cleaning

sanitize-html is in a different category. Its job isn’t just decoding — it’s removing unsafe HTML to prevent XSS. It parses the input into a DOM-like structure, walks the tree, and strips disallowed tags/attributes based on a configurable allowlist.

// Using sanitize-html
import sanitizeHtml from 'sanitize-html';

const dirty = '<script>alert("xss")</script><p>Hello <b>world</b>!</p>';
const clean = sanitizeHtml(dirty);
// Result: '<p>Hello <b>world</b>!</p>'

// It also decodes entities during parsing
const withEntities = '&lt;img src=x onerror=alert(1)&gt;';
const cleaned = sanitizeHtml(withEntities);
// Result: '' (empty string — no valid tags after decoding)

Crucially, sanitize-html always decodes entities as part of parsing, so you never see raw &lt; in the output — only the actual < character, which is then evaluated for safety.

⚖️ Key Trade-Offs: Performance, Safety, and Scope

When You Only Need Encoding/Decoding

If your task is purely transforming text ↔ entities (e.g., preparing strings for HTML insertion or parsing API responses that return escaped HTML), do not use sanitize-html. It’s overkill: it parses full HTML, walks a DOM tree, and applies rules — all unnecessary overhead.

Between entities, he, and html-entities:

  • entities is fastest and smallest. Use it in performance-sensitive contexts (e.g., SSR at scale).
  • he is best when you must match browser behavior exactly (e.g., in a Markdown-to-HTML pipeline).
  • html-entities shines when you need to switch between XML/HTML4/HTML5 modes or reuse configured instances.

When You Must Prevent XSS

If you’re rendering user-provided HTML (from a CMS, comment box, or WYSIWYG editor), only sanitize-html is appropriate. The others will happily give you executable script tags if the input contains them — even after decoding.

Example of why this matters:

// ❌ Dangerous: using a decoder alone
const userInput = '&lt;script&gt;stealCookies()&lt;/script&gt;';
const decoded = decode(userInput); // from any of the first three libs
// decoded = '<script>stealCookies()</script>'
document.body.innerHTML = decoded; // 💥 XSS vulnerability!

// ✅ Safe: using sanitize-html
const clean = sanitizeHtml(userInput);
// clean = '' (script tag removed)
document.body.innerHTML = clean; // safe

sanitize-html also supports advanced features like:

  • Custom allowed tags/attributes
  • Transform functions (e.g., add rel="noopener" to links)
  • Disabling entity decoding (though rarely needed)

🧪 Real-World Usage Scenarios

Scenario 1: Rendering API Data with Escaped HTML

You fetch blog posts from a REST API that returns titles like "Why 5 &gt; 3 Matters". You just need to display the real characters.

Best choice: entities or he

// Simple decoding
const title = decode(apiResponse.title); // "Why 5 > 3 Matters"

No sanitization needed — the data is trusted.

Scenario 2: Building a Static Site Generator

Your SSG processes Markdown files that may contain inline HTML. You need to encode code snippets for HTML output but also ensure user-authored HTML doesn’t break layout or introduce scripts.

Best combo: Use entities for encoding code blocks + sanitize-html for final output.

// Encode special chars in code
const codeHtml = `<code>${encode(codeString)}</code>`;

// Later, sanitize full page HTML
const finalHtml = sanitizeHtml(pageWithUserHtml);

Scenario 3: Accepting Rich Text from Users

Your app has a rich text editor (e.g., TinyMCE) that outputs HTML like <p>Hello <strong>you</strong></p>. You must store and later render this safely.

Only choice: sanitize-html

const cleanHtml = sanitizeHtml(userHtml, {
  allowedTags: ['p', 'strong', 'em', 'a'],
  allowedAttributes: { 'a': ['href'] }
});

Never decode first — let sanitize-html handle parsing and cleaning in one secure step.

📋 Summary Table

PackagePrimary PurposeHandles XSS?API StyleBest For
entitiesFast entity conversionFunctionalParsers, SSR, minimal dependencies
heHTML5-spec complianceFunctionalTools needing exact browser-like behavior
html-entitiesMulti-standard supportClass-basedApps switching between XML/HTML4/HTML5 modes
sanitize-htmlHTML sanitizationFunctionalRendering untrusted user-submitted HTML

💡 Final Guidance

  • Never mix concerns: Don’t use sanitizers for simple encoding, and don’t use decoders when you need security.
  • Trust your data source: If HTML comes from your own backend (not users), decoding alone is fine. If it’s user-generated, always sanitize.
  • Combine when needed: In complex apps (e.g., SSGs), you might use entities for intermediate encoding and sanitize-html for final output.

Remember: entity decoding and HTML sanitization are related but separate responsibilities. Choose the right tool for the job — your app’s security and performance depend on it.

How to Choose: entities vs he vs html-entities vs sanitize-html

  • entities:

    Choose entities if you need a lightweight, dependency-free library focused purely on accurate and fast HTML/XML entity encoding and decoding. It supports both named (&lt;) and numeric (&#60;) entities and offers fine-grained control over decoding strictness. Ideal for parsers, compilers, or SSR frameworks where minimal footprint and correctness are critical.

  • he:

    Choose he if you want a well-tested, spec-compliant utility that strictly follows the HTML5 standard for entity handling. It provides clear separation between encoding and decoding with options like useNamedReferences. Best suited for applications requiring standards fidelity, such as content processors or tools that must match browser behavior exactly.

  • html-entities:

    Choose html-entities if you prefer a more ergonomic API with class-based instantiation and support for multiple character sets (e.g., XML, HTML4, HTML5). It’s convenient when you need to reuse encoder/decoder instances with consistent settings across a codebase, though it’s slightly heavier than alternatives due to its modular design.

  • sanitize-html:

    Choose sanitize-html only when your primary goal is to safely render untrusted HTML by stripping malicious tags and attributes — not just entity conversion. It uses entity decoding internally but focuses on XSS prevention through allowlists, transforms, and deep DOM traversal. Never use it solely for encoding/decoding; use it when accepting user-submitted HTML (e.g., from WYSIWYG editors).

Similar Npm Packages to entities

entities is an npm package that provides utilities for encoding and decoding HTML entities. It is particularly useful for web developers who need to handle special characters in HTML, ensuring that they are properly represented in the browser. The package supports a wide range of character encodings, making it a versatile choice for various applications. By using entities, developers can easily convert characters to their corresponding HTML entities and vice versa, simplifying the process of working with text that includes special characters.

While entities is a solid option for handling HTML entities, there are other libraries that offer similar functionality. Here are a few alternatives:

  • he is a robust library for encoding and decoding HTML entities. It is known for its performance and compliance with the HTML5 specification. he supports a wide range of character encodings and provides a simple API for developers to use. If you need a reliable and efficient solution for handling HTML entities, he is an excellent choice. Its focus on performance makes it suitable for applications that require fast processing of text.
  • html-entities is another library that provides encoding and decoding of HTML entities. It offers a straightforward API and supports both named and numeric entities. html-entities is easy to use and integrates well into various projects. If you are looking for a simple and effective way to manage HTML entities without additional complexity, html-entities is a great alternative.

To see how entities compares with he and html-entities, check out the comparison: Comparing entities vs he vs html-entities.

Similar Npm Packages to he

he is a popular JavaScript library for encoding and decoding HTML entities. It provides a simple and efficient way to handle HTML entities in strings, making it easier to work with text that may contain special characters. This is particularly useful for web applications that need to display user-generated content safely and correctly. While he is a robust solution for handling HTML entities, there are other libraries available that offer similar functionality. Here are a few alternatives:

  • entities is a lightweight library that provides encoding and decoding of HTML and XML entities. It supports a wide range of entities and is designed to be simple to use. If you need a straightforward solution for handling HTML entities without additional features, entities is a solid choice. It is particularly useful in scenarios where you want to ensure that your text is safely encoded for display in a web browser.

  • html-entities is another library that focuses on encoding and decoding HTML entities. It provides a simple API for converting characters to their corresponding HTML entities and vice versa. html-entities is lightweight and easy to integrate into any project, making it a good alternative for developers looking for a minimalistic solution to handle HTML entities.

  • sanitize-html is a more comprehensive library that not only handles HTML entity encoding but also sanitizes HTML content to prevent XSS (Cross-Site Scripting) attacks. It allows developers to specify which HTML tags and attributes are safe to use, making it ideal for applications that need to display user-generated content securely. If your project requires both entity handling and HTML sanitization, sanitize-html is the best choice.

For a detailed comparison of these libraries, check out the link: Comparing entities vs he vs html-entities vs sanitize-html.

Similar Npm Packages to html-entities

html-entities is a popular npm package that provides utilities for encoding and decoding HTML entities. It allows developers to safely handle special characters in HTML, ensuring that text is displayed correctly in web applications. This package is particularly useful for preventing issues related to character encoding and for sanitizing user input. While html-entities is a solid choice for managing HTML entities, there are other alternatives available in the npm ecosystem. Here are a few:

  • entities is a comprehensive library for encoding and decoding HTML and XML entities. It supports a wide range of entities and provides a robust API for handling them. If you need a more extensive solution that covers both HTML and XML entities, entities is a great option. It is well-maintained and widely used, making it a reliable choice for projects that require entity handling.
  • he is another lightweight library designed for encoding and decoding HTML entities. It focuses on performance and simplicity, making it easy to integrate into any project. he is particularly useful for applications that require fast and efficient entity handling without the overhead of a larger library. If you are looking for a minimalistic approach to encoding and decoding HTML entities, he is an excellent choice.

To see how html-entities compares with entities and he, check out the comparison: Comparing entities vs he vs html-entities.

Similar Npm Packages to sanitize-html

sanitize-html is a popular npm package used to sanitize HTML input, ensuring that it is safe for rendering in web applications. It helps prevent cross-site scripting (XSS) attacks by allowing developers to specify which HTML tags and attributes are safe to use, effectively cleaning up potentially harmful content. This makes it an essential tool for applications that accept user-generated content, such as comment sections, forums, or any other input fields where users can submit HTML.

While sanitize-html is a powerful solution, there are alternative libraries that also provide HTML sanitization capabilities. Here are a few notable alternatives:

  • dompurify is a fast and robust library for sanitizing HTML and preventing XSS attacks. It is designed to work in both browser and Node.js environments, making it versatile for various applications. dompurify is particularly known for its performance and effectiveness in cleaning up HTML while preserving the intended formatting. It automatically removes any malicious scripts and unwanted elements, making it a reliable choice for developers looking to ensure the safety of their web applications.

  • xss is another library focused on preventing XSS attacks by sanitizing user input. It provides a simple API for filtering and cleaning HTML, allowing developers to define their own rules for what is considered safe. While it may not be as feature-rich as sanitize-html or dompurify, it offers a straightforward approach to sanitization and can be a good choice for projects that require a lightweight solution without extensive configuration.

To explore the differences and features of these libraries, check out the comparison: Comparing dompurify vs sanitize-html vs xss.

README for entities

entities NPM version Downloads Node.js CI

Encode & decode HTML & XML entities with ease & speed.

Features

  • 😇 Tried and true: entities is used by many popular libraries; eg. htmlparser2, the official AWS SDK and commonmark use it to process HTML entities.
  • ⚡️ Fast: entities is the fastest library for decoding HTML entities (as of September 2025); see performance.
  • 🎛 Configurable: Get an output tailored for your needs. You are fine with UTF8? That'll save you some bytes. Prefer to only have ASCII characters? We can do that as well!

How to…

…install entities

npm install entities

…use entities

const entities = require("entities");

// Encoding
entities.escapeUTF8("&#38; ü"); // "&amp;#38; ü"
entities.encodeXML("&#38; ü"); // "&amp;#38; &#xfc;"
entities.encodeHTML("&#38; ü"); // "&amp;&num;38&semi; &uuml;"

// Decoding
entities.decodeXML("asdf &amp; &#xFF; &#xFC; &apos;"); // "asdf & ÿ ü '"
entities.decodeHTML("asdf &amp; &yuml; &uuml; &apos;"); // "asdf & ÿ ü '"

Performance

Benchmarked in September 2025 with Node v24.6.0 on Apple M2 using tinybench. Higher ops/s is better; avg (μs) is the mean time per operation. See scripts/benchmark.ts to reproduce.

Decoding

LibraryVersionops/savg (μs)±%slower
entities7.0.05,838,416175.570.06
html-entities2.6.02,919,637347.770.3350.0%
he1.2.02,318,438446.480.7060.3%
parse-entities4.0.2852,8551,199.510.3685.4%

Encoding

LibraryVersionops/savg (μs)±%slower
entities7.0.02,770,115368.090.11
html-entities2.6.01,491,963679.960.5846.2%
he1.2.0481,2782,118.250.6182.6%

Escaping

LibraryVersionops/savg (μs)±%slower
entities7.0.04,616,468223.840.17
he1.2.03,659,301280.760.5820.7%
html-entities2.6.03,555,301296.630.8423.0%

Note: Micro-benchmarks may vary across machines and Node versions.

FAQ

What methods should I actually use to encode my documents?

If your target supports UTF-8, the escapeUTF8 method is going to be your best choice. Otherwise, use either encodeHTML or encodeXML based on whether you're dealing with an HTML or an XML document.

You can have a look at the options for the encode and decode methods to see everything you can configure.

When should I use strict decoding?

When strict decoding, entities not terminated with a semicolon will be ignored. This is helpful for decoding entities in legacy environments.

Why should I use entities instead of alternative modules?

As of September 2025, entities is faster than other modules. Still, this is not a differentiated space and other modules can catch up.

More importantly, you might already have entities in your dependency graph (as a dependency of eg. cheerio, or htmlparser2), and including it directly might not even increase your bundle size. The same is true for other entity libraries, so have a look through your node_modules directory!

Does entities support tree shaking?

Yes! entities ships as both a CommonJS and a ES module. Note that for best results, you should not use the encode and decode functions, as they wrap around a number of other functions, all of which will remain in the bundle. Instead, use the functions that you need directly.

Acknowledgements

This library wouldn't be possible without the work of these individuals. Thanks to

  • @mathiasbynens for his explanations about character encodings, and his library he, which was one of the inspirations for entities
  • @inikulin for his work on optimized tries for decoding HTML entities for the parse5 project
  • @mdevils for taking on the challenge of producing a quick entity library with his html-entities library. entities would be quite a bit slower if there wasn't any competition. Right now entities is on top, but we'll see how long that lasts!

License: BSD-2-Clause

Security contact information

To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.

entities for enterprise

Available as part of the Tidelift Subscription

The maintainers of entities and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc, the official website for the npm registry. Note that npm is a registered trademark of npm, Inc. Please share your feedback via our GitHub repository. For more details, please refer to our Terms & Privacy.