Does this run entirely in my browser?

Yes. Both escape and unescape use the browser's built-in DOM and string APIs. No content is sent to any server — paste freely, including content with secrets or PII.

Which HTML entities does it cover?

By default it escapes the five characters that matter for XSS: & (ampersand), (greater-than), " (double quote), and ' (apostrophe). Unescape additionally decodes all named HTML entities plus numeric character references (© and ©).

Is escaping alone enough to prevent XSS?

For plain HTML body text contexts, yes — escaping the five critical characters prevents tag injection. But other contexts (inline JavaScript, CSS, URLs, HTML attributes with unquoted values) require their own escaping or different defenses. Treat HTML escape as one layer in a defense-in-depth strategy.

What's the difference between escape and sanitize?

Escape preserves all input — it just makes potentially dangerous characters safe by converting them to entities. Sanitize removes content — it strips or rewrites whole tags and attributes that don't pass a whitelist. Use escape when you want to display plain text; sanitize when you want to allow some safe HTML.

Can I escape HTML for attribute values specifically?

Yes. The default escape mode covers double quotes (for double-quoted attributes) and single quotes (for single-quoted attributes). For maximum safety in attribute contexts, also avoid unquoted attribute values entirely — that's where the trickiest XSS vectors live.

Does it handle international characters?

Yes. Unicode characters pass through unchanged in escape mode (modern browsers handle UTF-8 natively). On the unescape side, numeric entities for any Unicode codepoint are decoded correctly, including emoji and characters from any script.

Why does my escaped string still get rendered as HTML?

You're probably using innerHTML or dangerouslySetInnerHTML somewhere downstream — these bypass escaping. Switch to textContent (DOM) or pass the value as a child node in React/JSX, which handles escaping automatically.

转换工具属于转换工具 →

HTML 转义

HTML 转义，在浏览器中快速完成单项任务。

数据留在您的设备无需上传至服务器可离线使用

为什么用这个工具

HTML 转义在浏览器本地运行，适合快速处理与复制结果。

HTML 转义适用于日常高频小任务，打开即用。

默认本地处理，便于快速检查与复制结果。

如何使用

01输入或粘贴所需内容。

02查看结果并复制使用。

复制前快速检查

先确认输入格式符合你的预期。

在把结果用于文档、链接、配置或消息前快速扫一眼。

只复制你真正需要的输出。

使用场景

Render user-generated content safely

Before injecting user input into an HTML page (comments, profile bios, post content), escape it so malicious script tags and attribute injections can't execute. This is the baseline defense against reflected and stored XSS.

Inspect escaped content from logs or APIs

Application logs and many JSON APIs return HTML-escaped strings (<p> instead of <p>). Decode them to read the underlying content during debugging.

Prepare snippets for documentation

When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.

Migrate content between platforms

Different CMSes escape content differently. Use this tool to normalize HTML-escaped strings between WordPress, Markdown, Notion, and custom CMS exports during migrations.

使用技巧

01
Context determines what's safe
HTML body text needs <, >, & escaped. HTML attributes additionally need quote characters (" and ') escaped. JavaScript contexts and URLs require entirely different encoding. "Escape once for the right context" is the rule — don't double-escape.
02
Five entities cover 99% of cases
Most HTML escape needs are met by just five entities: & (ampersand), < (less-than), > (greater-than), " (double quote), ' (apostrophe). Beyond these are hundreds of named entities (©, —, etc.) but they're optional in modern UTF-8 documents.
03
Numeric entities are universal
Named entities like © only work in HTML. Numeric entities like © (decimal) or © (hex) work in HTML, XML, and any spec that supports character references. When in doubt, use numeric.
04
Escape is not the same as sanitize
Escaping converts dangerous characters to safe entities — fine for plain-text contexts. Sanitization removes or rewrites whole tags (e.g., dropping <script> while keeping <p>). For rich-text user input where some HTML must be preserved, use a sanitizer like DOMPurify, not just escape.

常见问题

这个工具会上传数据吗？

默认在浏览器本地处理。

HTML 转义

HTML 转义，在浏览器中快速完成单项任务。

数据留在您的设备无需上传至服务器可离线使用

转义上下文

实体格式

拖入 .html / .txt 文件（或点击上传）最大 5MB —— 完全在浏览器内处理

输入

转义结果

&lt;div class=&quot;tool&quot;&gt;&amp; &quot;fast&quot;&lt;/div&gt;

还原结果

<div class="tool">& "fast"</div>

为什么用这个工具

HTML 转义在浏览器本地运行，适合快速处理与复制结果。

HTML 转义适用于日常高频小任务，打开即用。

默认本地处理，便于快速检查与复制结果。

如何使用

01输入或粘贴所需内容。

02查看结果并复制使用。

复制前快速检查

先确认输入格式符合你的预期。

在把结果用于文档、链接、配置或消息前快速扫一眼。

只复制你真正需要的输出。

使用场景

Render user-generated content safely

Inspect escaped content from logs or APIs

Application logs and many JSON APIs return HTML-escaped strings (<p> instead of <p>). Decode them to read the underlying content during debugging.

Prepare snippets for documentation

When writing technical docs that include code examples or HTML snippets, escape the HTML so the rendered docs show the markup as text instead of interpreting it as actual markup.

Migrate content between platforms

Different CMSes escape content differently. Use this tool to normalize HTML-escaped strings between WordPress, Markdown, Notion, and custom CMS exports during migrations.

使用技巧

01
Context determines what's safe
HTML body text needs <, >, & escaped. HTML attributes additionally need quote characters (" and ') escaped. JavaScript contexts and URLs require entirely different encoding. "Escape once for the right context" is the rule — don't double-escape.
02
Five entities cover 99% of cases
Most HTML escape needs are met by just five entities: & (ampersand), < (less-than), > (greater-than), " (double quote), ' (apostrophe). Beyond these are hundreds of named entities (©, —, etc.) but they're optional in modern UTF-8 documents.
03
Numeric entities are universal
Named entities like © only work in HTML. Numeric entities like © (decimal) or © (hex) work in HTML, XML, and any spec that supports character references. When in doubt, use numeric.
04
Escape is not the same as sanitize
Escaping converts dangerous characters to safe entities — fine for plain-text contexts. Sanitization removes or rewrites whole tags (e.g., dropping <script> while keeping <p>). For rich-text user input where some HTML must be preserved, use a sanitizer like DOMPurify, not just escape.

常见问题

这个工具会上传数据吗？

默认在浏览器本地处理。

HTML 转义

为什么用这个工具

如何使用

复制前快速检查

使用场景

使用技巧

常见问题

相关工具

JSON 转义

URL 编解码

JSON 格式化

HTML 转义

为什么用这个工具

如何使用

复制前快速检查

使用场景

使用技巧

常见问题

相关工具

JSON 转义

URL 编解码

JSON 格式化

HTML 转义

JSON 转义→

URL 编解码→

JSON 格式化→

HTML 转义

JSON 转义→

URL 编解码→

JSON 格式化→

JSON 转义

URL 编解码

JSON 格式化

JSON 转义

URL 编解码

JSON 格式化