TOOLGRIDTOOLGRID
首页图片工具PDF 工具视频工具音频工具
More
开发工具Web 与 SEO分类文本工具计算器测试方法关于
Menu
首页图片工具PDF 工具视频工具音频工具开发工具Web 与 SEO分类文本工具计算器测试方法关于
109 个工具已上线
TOOLGRIDTOOLGRID

需要某项具体功能时,完整工具箱始终可用。

© 2026 TOOLGRID. All rights reserved.

Tools

图片工具PDF 工具视频工具音频工具转换工具开发工具Web 与 SEO文本工具计算器

Resources

分类测试方法隐私政策

Company

关于条款联系
转换工具
  1. 首页
  2. Converters
  3. HTML Escape / Unescape
属于 Converters →

HTML Escape / Unescape

Escape HTML entities for safe rendering or decode entities back to text. XSS-aware with attribute-safe mode.

开始使用这个工具
浏览器本地处理不向 TOOLGRID 上传输入复制前先检查
DEVELOPER 工作流HTML Escape / Unescape 能力卡
输入
Pasted text or typed values
输出
HTML Escape / Unescape result
运行引擎
Browser APIs
审核日期
2026-07-17
浏览器本地工作区在下方开始,使用浏览器本地处理。

工具代码会在浏览器中处理所选文件和输入内容,不会将其提交给 TOOLGRID 的处理接口。 TOOLGRID 只衡量工具使用情况,不记录你输入的内容。

  • 不上传工具输入至 TOOLGRID
  • 不登录
  • 复制前先检查

Loading tool…

浏览器内运行

这个工具能做什么

01

Free HTML escape and unescape tool. Convert text to safe HTML entities (& < > " ') or decode entities back. Context-aware for XSS prevention. Runs in your browser.

02

HTML Escape turns characters like <, >, &, ", and ' into their HTML-safe entity form (e.g., < becomes <) so user-supplied text can be rendered inside an HTML document without breaking markup or enabling XSS.

03

Unescape goes the other direction — decode an HTML-escaped string back to readable text. Useful for inspecting payloads pulled from logs, RSS feeds, or APIs that double-escape content.

04

Pair this with our URL Encoder when content needs to be safe across multiple contexts (URL, then HTML), or with JSON Formatter when escaping for JSON string values.

代表性任务

这个工具适合解决什么问题

Render user-generated content safely

Before injecting user input into an HTML page (comments, profile bios, post content), escape it so malicious script tags and attribute injections can't execute. This is the baseline defense against reflected and stored XSS.

Inspect escaped content from logs or APIs

Application logs and many JSON APIs return HTML-escaped strings (&lt;p&gt; instead of <p>). Decode them to read the underlying content during debugging.

Prepare snippets for documentation

When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.

使用边界

依赖结果前需要检查什么

  • Performance and maximum practical input size depend on browser memory, device speed, and the structure of the input.
  • Review the generated result before replacing or publishing an original file.
MDN Web APIs
继续当前流程下一步常用工具

如果还需要校验、转换或复用结果,可以继续打开相近的浏览器本地工具。

当前结果
产物转换输出动作复制结果
JSON Escape / Unescape转换工具本地产物转换输出动作复制结果立即本地使用→URL 编码解码转换工具本地产物转换输出动作复制结果立即本地使用→JSON 格式化工具数据格式本地产物格式化 JSON动作复制结果立即本地使用→

如何使用

01
01Paste raw text into the escape input to get HTML-safe output.
02Paste HTML-entity text into the unescape input to decode it back to characters.
03Copy whichever output you need — escape for output, unescape for inspection.

使用场景

Render user-generated content safely

Before injecting user input into an HTML page (comments, profile bios, post content), escape it so malicious script tags and attribute injections can't execute. This is the baseline defense against reflected and stored XSS.

Inspect escaped content from logs or APIs

Application logs and many JSON APIs return HTML-escaped strings (&lt;p&gt; instead of <p>). Decode them to read the underlying content during debugging.

Prepare snippets for documentation

When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.

Migrate content between platforms

Different CMSes escape content differently. Use this tool to normalize HTML-escaped strings between WordPress, Markdown, Notion, and custom CMS exports during migrations.

使用技巧

  1. 01
    Context determines what's safe

    HTML body text needs <, >, & escaped. HTML attributes additionally need quote characters (" and ') escaped. JavaScript contexts and URLs require entirely different encoding. "Escape once for the right context" is the rule — don't double-escape.

  2. 02
    Five entities cover 99% of cases

    Most HTML escape needs are met by just five entities: &amp; (ampersand), &lt; (less-than), &gt; (greater-than), &quot; (double quote), &#39; (apostrophe). Beyond these are hundreds of named entities (&copy;, &mdash;, etc.) but they're optional in modern UTF-8 documents.

  3. 03
    Numeric entities are universal

    Named entities like &copy; only work in HTML. Numeric entities like &#169; (decimal) or &#xA9; (hex) work in HTML, XML, and any spec that supports character references. When in doubt, use numeric.

  4. 04
    Escape is not the same as sanitize

    Escaping converts dangerous characters to safe entities — fine for plain-text contexts. Sanitization removes or rewrites whole tags (e.g., dropping <script> while keeping <p>). For rich-text user input where some HTML must be preserved, use a sanitizer like DOMPurify, not just escape.

常见问题

02
Does this run entirely in my browser?

Both escape and unescape use the browser's built-in DOM and string APIs. Tool code processes selected files and entered content in your browser and does not submit them to a TOOLGRID processing endpoint. Browser-local processing avoids a TOOLGRID upload path, but it is not a blanket security guarantee.

Which HTML entities does it cover?

By default it escapes the five characters that matter for XSS: & (ampersand), < (less-than), > (greater-than), " (double quote), and ' (apostrophe). Unescape additionally decodes all named HTML entities plus numeric character references (&#169; and &#xA9;).

Is escaping alone enough to prevent XSS?

For plain HTML body text contexts, yes — escaping the five critical characters prevents tag injection. But other contexts (inline JavaScript, CSS, URLs, HTML attributes with unquoted values) require their own escaping or different defenses. Treat HTML escape as one layer in a defense-in-depth strategy.

What's the difference between escape and sanitize?

Escape preserves all input — it just makes potentially dangerous characters safe by converting them to entities. Sanitize removes content — it strips or rewrites whole tags and attributes that don't pass a whitelist. Use escape when you want to display plain text; sanitize when you want to allow some safe HTML.

Can I escape HTML for attribute values specifically?

Yes. The default escape mode covers double quotes (for double-quoted attributes) and single quotes (for single-quoted attributes). For maximum safety in attribute contexts, also avoid unquoted attribute values entirely — that's where the trickiest XSS vectors live.

Does it handle international characters?

Yes. Unicode characters pass through unchanged in escape mode (modern browsers handle UTF-8 natively). On the unescape side, numeric entities for any Unicode codepoint are decoded correctly, including emoji and characters from any script.

Why does my escaped string still get rendered as HTML?

You're probably using innerHTML or dangerouslySetInnerHTML somewhere downstream — these bypass escaping. Switch to textContent (DOM) or pass the value as a child node in React/JSX, which handles escaping automatically.

相关工具

03
本地

JSON Escape / Unescape→立即本地使用No TOOLGRID input upload

Escape a string for safe embedding in a JSON value, or unescape a JSON-encoded string back to plain text.

转换输出复制结果

本地

URL 编码解码→立即本地使用No TOOLGRID input upload

把文本转换为 URL percent encoding,或把编码内容还原为可读文本。

转换输出复制结果

本地

JSON 格式化工具→立即本地使用No TOOLGRID input upload

格式化、压缩并校验 JSON,快速定位语法错误。

格式化 JSON复制结果