HTML Escape / Unescape
Escape HTML entities for safe rendering or decode entities back to text. XSS-aware with attribute-safe mode.
Why use this tool
01Free HTML escape and unescape tool. Convert text to safe HTML entities (& < > " ') or decode entities back. Context-aware for XSS prevention. Runs in your browser.
HTML Escape turns characters like <, >, &, ", and ' into their HTML-safe entity form (e.g., < becomes <) so user-supplied text can be rendered inside an HTML document without breaking markup or enabling XSS.
Unescape goes the other direction — decode an HTML-escaped string back to readable text. Useful for inspecting payloads pulled from logs, RSS feeds, or APIs that double-escape content.
Pair this with our URL Encoder when content needs to be safe across multiple contexts (URL, then HTML), or with JSON Formatter when escaping for JSON string values.
How to use
02Quick checks before you copy
03Confirm the input is the format you intended.
Scan the result before using it in a document, URL, config, or message.
Copy only the output you need.
Use Cases
Before injecting user input into an HTML page (comments, profile bios, post content), escape it so malicious script tags and attribute injections can't execute. This is the baseline defense against reflected and stored XSS.
Application logs and many JSON APIs return HTML-escaped strings (<p> instead of <p>). Decode them to read the underlying content during debugging.
When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.
Different CMSes escape content differently. Use this tool to normalize HTML-escaped strings between WordPress, Markdown, Notion, and custom CMS exports during migrations.
Tips & Tricks
- 01Context determines what's safe
HTML body text needs <, >, & escaped. HTML attributes additionally need quote characters (" and ') escaped. JavaScript contexts and URLs require entirely different encoding. "Escape once for the right context" is the rule — don't double-escape.
- 02Five entities cover 99% of cases
Most HTML escape needs are met by just five entities: & (ampersand), < (less-than), > (greater-than), " (double quote), ' (apostrophe). Beyond these are hundreds of named entities (©, —, etc.) but they're optional in modern UTF-8 documents.
- 03Numeric entities are universal
Named entities like © only work in HTML. Numeric entities like © (decimal) or © (hex) work in HTML, XML, and any spec that supports character references. When in doubt, use numeric.
- 04Escape is not the same as sanitize
Escaping converts dangerous characters to safe entities — fine for plain-text contexts. Sanitization removes or rewrites whole tags (e.g., dropping <script> while keeping <p>). For rich-text user input where some HTML must be preserved, use a sanitizer like DOMPurify, not just escape.
FAQ
04Does this run entirely in my browser?
Yes. Both escape and unescape use the browser's built-in DOM and string APIs. No content is sent to any server — paste freely, including content with secrets or PII.
Which HTML entities does it cover?
By default it escapes the five characters that matter for XSS: & (ampersand), < (less-than), > (greater-than), " (double quote), and ' (apostrophe). Unescape additionally decodes all named HTML entities plus numeric character references (© and ©).
Is escaping alone enough to prevent XSS?
For plain HTML body text contexts, yes — escaping the five critical characters prevents tag injection. But other contexts (inline JavaScript, CSS, URLs, HTML attributes with unquoted values) require their own escaping or different defenses. Treat HTML escape as one layer in a defense-in-depth strategy.
What's the difference between escape and sanitize?
Escape preserves all input — it just makes potentially dangerous characters safe by converting them to entities. Sanitize removes content — it strips or rewrites whole tags and attributes that don't pass a whitelist. Use escape when you want to display plain text; sanitize when you want to allow some safe HTML.
Can I escape HTML for attribute values specifically?
Yes. The default escape mode covers double quotes (for double-quoted attributes) and single quotes (for single-quoted attributes). For maximum safety in attribute contexts, also avoid unquoted attribute values entirely — that's where the trickiest XSS vectors live.
Does it handle international characters?
Yes. Unicode characters pass through unchanged in escape mode (modern browsers handle UTF-8 natively). On the unescape side, numeric entities for any Unicode codepoint are decoded correctly, including emoji and characters from any script.
Why does my escaped string still get rendered as HTML?
You're probably using innerHTML or dangerouslySetInnerHTML somewhere downstream — these bypass escaping. Switch to textContent (DOM) or pass the value as a child node in React/JSX, which handles escaping automatically.
Related tools
03JSON Escape / Unescape→
Escape a string for safe embedding in a JSON value, or unescape a JSON-encoded string back to plain text.
URL Encoder & Decoder — Convert Text to URL-Safe Format→
Encode text for URLs or decode encoded URL values.
JSON Formatter→
Format, minify, and validate JSON in one place.