HTML Escape / Unescape
Escape HTML entities for safe rendering or decode entities back to text. XSS-aware with attribute-safe mode.
工具代码会在浏览器中处理所选文件和输入内容,不会将其提交给 TOOLGRID 的处理接口。 TOOLGRID 只衡量工具使用情况,不记录你输入的内容。
- 不上传工具输入至 TOOLGRID
- 不登录
- 复制前先检查
Loading tool…
这个工具能做什么
Free HTML escape and unescape tool. Convert text to safe HTML entities (& < > " ') or decode entities back. Context-aware for XSS prevention. Runs in your browser.
HTML Escape turns characters like <, >, &, ", and ' into their HTML-safe entity form (e.g., < becomes <) so user-supplied text can be rendered inside an HTML document without breaking markup or enabling XSS.
Unescape goes the other direction — decode an HTML-escaped string back to readable text. Useful for inspecting payloads pulled from logs, RSS feeds, or APIs that double-escape content.
Pair this with our URL Encoder when content needs to be safe across multiple contexts (URL, then HTML), or with JSON Formatter when escaping for JSON string values.
这个工具适合解决什么问题
Before injecting user input into an HTML page (comments, profile bios, post content), escape it so malicious script tags and attribute injections can't execute. This is the baseline defense against reflected and stored XSS.
Application logs and many JSON APIs return HTML-escaped strings (<p> instead of <p>). Decode them to read the underlying content during debugging.
When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.
依赖结果前需要检查什么
- Performance and maximum practical input size depend on browser memory, device speed, and the structure of the input.
- Review the generated result before replacing or publishing an original file.
如果还需要校验、转换或复用结果,可以继续打开相近的浏览器本地工具。
如何使用
01使用场景
Before injecting user input into an HTML page (comments, profile bios, post content), escape it so malicious script tags and attribute injections can't execute. This is the baseline defense against reflected and stored XSS.
Application logs and many JSON APIs return HTML-escaped strings (<p> instead of <p>). Decode them to read the underlying content during debugging.
When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.
Different CMSes escape content differently. Use this tool to normalize HTML-escaped strings between WordPress, Markdown, Notion, and custom CMS exports during migrations.
使用技巧
- 01Context determines what's safe
HTML body text needs <, >, & escaped. HTML attributes additionally need quote characters (" and ') escaped. JavaScript contexts and URLs require entirely different encoding. "Escape once for the right context" is the rule — don't double-escape.
- 02Five entities cover 99% of cases
Most HTML escape needs are met by just five entities: & (ampersand), < (less-than), > (greater-than), " (double quote), ' (apostrophe). Beyond these are hundreds of named entities (©, —, etc.) but they're optional in modern UTF-8 documents.
- 03Numeric entities are universal
Named entities like © only work in HTML. Numeric entities like © (decimal) or © (hex) work in HTML, XML, and any spec that supports character references. When in doubt, use numeric.
- 04Escape is not the same as sanitize
Escaping converts dangerous characters to safe entities — fine for plain-text contexts. Sanitization removes or rewrites whole tags (e.g., dropping <script> while keeping <p>). For rich-text user input where some HTML must be preserved, use a sanitizer like DOMPurify, not just escape.
常见问题
02Does this run entirely in my browser?
Both escape and unescape use the browser's built-in DOM and string APIs. Tool code processes selected files and entered content in your browser and does not submit them to a TOOLGRID processing endpoint. Browser-local processing avoids a TOOLGRID upload path, but it is not a blanket security guarantee.
Which HTML entities does it cover?
By default it escapes the five characters that matter for XSS: & (ampersand), < (less-than), > (greater-than), " (double quote), and ' (apostrophe). Unescape additionally decodes all named HTML entities plus numeric character references (© and ©).
Is escaping alone enough to prevent XSS?
For plain HTML body text contexts, yes — escaping the five critical characters prevents tag injection. But other contexts (inline JavaScript, CSS, URLs, HTML attributes with unquoted values) require their own escaping or different defenses. Treat HTML escape as one layer in a defense-in-depth strategy.
What's the difference between escape and sanitize?
Escape preserves all input — it just makes potentially dangerous characters safe by converting them to entities. Sanitize removes content — it strips or rewrites whole tags and attributes that don't pass a whitelist. Use escape when you want to display plain text; sanitize when you want to allow some safe HTML.
Can I escape HTML for attribute values specifically?
Yes. The default escape mode covers double quotes (for double-quoted attributes) and single quotes (for single-quoted attributes). For maximum safety in attribute contexts, also avoid unquoted attribute values entirely — that's where the trickiest XSS vectors live.
Does it handle international characters?
Yes. Unicode characters pass through unchanged in escape mode (modern browsers handle UTF-8 natively). On the unescape side, numeric entities for any Unicode codepoint are decoded correctly, including emoji and characters from any script.
Why does my escaped string still get rendered as HTML?
You're probably using innerHTML or dangerouslySetInnerHTML somewhere downstream — these bypass escaping. Switch to textContent (DOM) or pass the value as a child node in React/JSX, which handles escaping automatically.

