TOOLGRIDTOOLGRID
HomeImage ToolsPDF ToolsVideo ToolsAudio Tools
More
Dev ToolsWeb & SEOCategoriesText ToolsCalculatorsHow we testAbout
Menu
HomeImage ToolsPDF ToolsVideo ToolsAudio ToolsDev ToolsWeb & SEOCategoriesText ToolsCalculatorsHow we testAbout
109 tools live
TOOLGRIDTOOLGRID

The full toolbox remains available when you need a specific utility.

Β© 2026 TOOLGRID. All rights reserved.

Tools

Image ToolsPDF ToolsVideo ToolsAudio ToolsConvertersDev ToolsWeb & SEOText ToolsCalculators

Resources

CategoriesHow we testPrivacy Policy

Company

AboutTermsContact
Converters
  1. Home
  2. Converters
  3. HTML Escape / Unescape
Part of Converters β†’

HTML Escape / Unescape

Escape HTML entities for safe rendering or decode entities back to text. XSS-aware with attribute-safe mode.

Use this tool
Browser-local processingNo input upload to TOOLGRIDReview before copy
DEVELOPER workflowHTML Escape / Unescape capability card
Input
Pasted text or typed values
Output
HTML Escape / Unescape result
Runtime
Browser APIs
Reviewed
2026-07-17
Browser-local workspaceStart below with browser-local processing.

Tool code processes selected files and entered content in your browser and does not submit them to a TOOLGRID processing endpoint. TOOLGRID measures tool usage, not the content you enter.

  • No TOOLGRID input upload
  • No account
  • Review before copy

Loading tool…

Browser-based

What this tool does

01

Free HTML escape and unescape tool. Convert text to safe HTML entities (& < > " ') or decode entities back. Context-aware for XSS prevention. Runs in your browser.

02

HTML Escape turns characters like <, >, &, ", and ' into their HTML-safe entity form (e.g., < becomes <) so user-supplied text can be rendered inside an HTML document without breaking markup or enabling XSS.

03

Unescape goes the other direction β€” decode an HTML-escaped string back to readable text. Useful for inspecting payloads pulled from logs, RSS feeds, or APIs that double-escape content.

04

Pair this with our URL Encoder when content needs to be safe across multiple contexts (URL, then HTML), or with JSON Formatter when escaping for JSON string values.

Representative tasks

Where this tool earns its place

Render user-generated content safely

Before injecting user input into an HTML page (comments, profile bios, post content), escape it so malicious script tags and attribute injections can't execute. This is the baseline defense against reflected and stored XSS.

Inspect escaped content from logs or APIs

Application logs and many JSON APIs return HTML-escaped strings (&lt;p&gt; instead of <p>). Decode them to read the underlying content during debugging.

Prepare snippets for documentation

When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.

Boundaries

What to check before relying on the result

  • Performance and maximum practical input size depend on browser memory, device speed, and the structure of the input.
  • Review the generated result before replacing or publishing an original file.
MDN Web APIs
Continue this workflowUseful next steps

Open a nearby browser tool when you need to validate, convert, or reuse the result.

Current result
OutputConverted outputActionCopy result
JSON Escape / UnescapeConvertersLocalOutputConverted outputActionCopy resultStart locally→URL Encoder & Decoder — Convert Text to URL-Safe FormatConvertersLocalOutputConverted outputActionCopy resultStart locally→JSON FormatterData FormatLocalOutputFormatted JSONActionCopy resultStart locally→

How to use

01
01Paste raw text into the escape input to get HTML-safe output.
02Paste HTML-entity text into the unescape input to decode it back to characters.
03Copy whichever output you need β€” escape for output, unescape for inspection.

Use Cases

Render user-generated content safely

Before injecting user input into an HTML page (comments, profile bios, post content), escape it so malicious script tags and attribute injections can't execute. This is the baseline defense against reflected and stored XSS.

Inspect escaped content from logs or APIs

Application logs and many JSON APIs return HTML-escaped strings (&lt;p&gt; instead of <p>). Decode them to read the underlying content during debugging.

Prepare snippets for documentation

When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.

Migrate content between platforms

Different CMSes escape content differently. Use this tool to normalize HTML-escaped strings between WordPress, Markdown, Notion, and custom CMS exports during migrations.

Tips & Tricks

  1. 01
    Context determines what's safe

    HTML body text needs <, >, & escaped. HTML attributes additionally need quote characters (" and ') escaped. JavaScript contexts and URLs require entirely different encoding. "Escape once for the right context" is the rule β€” don't double-escape.

  2. 02
    Five entities cover 99% of cases

    Most HTML escape needs are met by just five entities: &amp; (ampersand), &lt; (less-than), &gt; (greater-than), &quot; (double quote), &#39; (apostrophe). Beyond these are hundreds of named entities (&copy;, &mdash;, etc.) but they're optional in modern UTF-8 documents.

  3. 03
    Numeric entities are universal

    Named entities like &copy; only work in HTML. Numeric entities like &#169; (decimal) or &#xA9; (hex) work in HTML, XML, and any spec that supports character references. When in doubt, use numeric.

  4. 04
    Escape is not the same as sanitize

    Escaping converts dangerous characters to safe entities β€” fine for plain-text contexts. Sanitization removes or rewrites whole tags (e.g., dropping <script> while keeping <p>). For rich-text user input where some HTML must be preserved, use a sanitizer like DOMPurify, not just escape.

FAQ

02
Does this run entirely in my browser?

Both escape and unescape use the browser's built-in DOM and string APIs. Tool code processes selected files and entered content in your browser and does not submit them to a TOOLGRID processing endpoint. Browser-local processing avoids a TOOLGRID upload path, but it is not a blanket security guarantee.

Which HTML entities does it cover?

By default it escapes the five characters that matter for XSS: & (ampersand), < (less-than), > (greater-than), " (double quote), and ' (apostrophe). Unescape additionally decodes all named HTML entities plus numeric character references (&#169; and &#xA9;).

Is escaping alone enough to prevent XSS?

For plain HTML body text contexts, yes β€” escaping the five critical characters prevents tag injection. But other contexts (inline JavaScript, CSS, URLs, HTML attributes with unquoted values) require their own escaping or different defenses. Treat HTML escape as one layer in a defense-in-depth strategy.

What's the difference between escape and sanitize?

Escape preserves all input β€” it just makes potentially dangerous characters safe by converting them to entities. Sanitize removes content β€” it strips or rewrites whole tags and attributes that don't pass a whitelist. Use escape when you want to display plain text; sanitize when you want to allow some safe HTML.

Can I escape HTML for attribute values specifically?

Yes. The default escape mode covers double quotes (for double-quoted attributes) and single quotes (for single-quoted attributes). For maximum safety in attribute contexts, also avoid unquoted attribute values entirely β€” that's where the trickiest XSS vectors live.

Does it handle international characters?

Yes. Unicode characters pass through unchanged in escape mode (modern browsers handle UTF-8 natively). On the unescape side, numeric entities for any Unicode codepoint are decoded correctly, including emoji and characters from any script.

Why does my escaped string still get rendered as HTML?

You're probably using innerHTML or dangerouslySetInnerHTML somewhere downstream β€” these bypass escaping. Switch to textContent (DOM) or pass the value as a child node in React/JSX, which handles escaping automatically.

Related tools

03
Local

JSON Escape / Unescape→Start locallyNo TOOLGRID input upload

Escape a string for safe embedding in a JSON value, or unescape a JSON-encoded string back to plain text.

Converted outputCopy result

Local

URL Encoder & Decoder — Convert Text to URL-Safe Format→Start locallyNo TOOLGRID input upload

Encode text for URLs or decode encoded URL values.

Converted outputCopy result

Local

JSON Formatter→Start locallyNo TOOLGRID input upload

Format, minify, and validate JSON in one place.

Formatted JSONCopy result