HTML Escape & Unescape
Convert special characters to their HTML entity equivalents or decode entities back to readable text. Use Escape mode to make raw text safe for embedding in HTML, or Unescape mode to restore entities to their original characters. Everything runs client-side - your data never leaves your browser.
Try These Examples
HTML tag with attributes- An element with a class, showing how angle brackets and quotes are escapedScript injection attempt- A classic XSS payload that must be escaped before displaying in a pagePre-escaped entities- Already-escaped HTML entities that can be unescaped back to readable text
How It Works
HTML reserves a handful of characters for its own syntax. When those characters appear in content that will be rendered by a browser, they must be replaced with HTML entities - named or numeric references that the browser displays as the original character without interpreting it as markup.
&becomes&- the ampersand starts every entity, so it must be escaped first.<becomes<and>becomes>- angle brackets define HTML tags."becomes"- double quotes delimit attribute values.'becomes'- single quotes (apostrophes) can also delimit attributes in some contexts.
When should you escape HTML?
Escape any user-supplied or untrusted text before inserting it into an HTML document. This includes form inputs displayed back to the user, data from APIs rendered in templates, and content stored in databases that may later appear in a web page. Proper escaping is the primary defence against Cross-Site Scripting (XSS) attacks, where an attacker injects malicious code into a page viewed by other users.
When should you unescape HTML?
Unescape when you need to read or process the original text from an HTML source - for example, when scraping a web page, migrating content between systems, or debugging templates that double-escape entities.
Frequently Asked Questions
What does it mean to escape HTML?
Escaping HTML means replacing characters that have special meaning in HTML - such as <, >, &, ", and ' - with their corresponding HTML entities. This prevents the browser from interpreting those characters as markup, which keeps your content safe and correctly displayed.
Why is HTML escaping important for security?
If user-supplied text is inserted into a web page without escaping, an attacker can inject malicious HTML or JavaScript - a vulnerability known as Cross-Site Scripting (XSS). Escaping ensures that any input is treated as plain text rather than executable code, neutralising the threat.
What is the difference between escape and unescape?
Escaping converts raw characters into HTML entities (e.g., < becomes <). Unescaping reverses the process, converting entities back into their original characters (e.g., < becomes <). You escape when inserting text into HTML, and unescape when extracting displayable text from an HTML source.
Is my data safe when using this tool?
Yes. This tool runs entirely in your browser using JavaScript. Your text is never transmitted to a server, stored, or logged. You can verify this by opening your browser's Developer Tools Network tab - you will see zero requests while using the tool.