Free HTML Deobfuscator Online
Deobfuscate HTML code online — decode entities, hex escapes, and unicode sequences instantly in your browser.
Input
Deobfuscated Output
What Is the HTML Deobfuscator?
You've pulled HTML from a suspicious page or an email template, and instead of readable markup you see a wall of H references and \x48 escapes. Manually decoding that character by character is painful. This tool reverses those patterns in one click. It handles every encoding defined in the HTML Living Standard character references, plus JavaScript escape sequences commonly stuffed into inline scripts. Security analysts can cross-reference results with the OWASP XSS Filter Evasion Cheat Sheet to identify attack vectors, while developers can use the DOMParser API for programmatic decoding in their own projects.
This tool runs entirely in your browser. No code is sent to any server. It decodes named HTML entities (<, >, &), numeric character references (H), hex character references (H), unicode escapes in inline scripts (\u0048), and hex escapes (\x48). It also removes obfuscation comments and pretty-prints the resulting HTML with proper indentation.
How to Use This Tool
Paste or Upload
Paste obfuscated or minified HTML into the left panel, or upload a .html, .htm, or .txt file. Click Sample to load an example.
View Deobfuscated Output
The right panel shows cleaned and formatted HTML. Entities are decoded, script escapes are resolved, and the markup is indented for readability.
Copy or Download
Use Copy or Download to save the result as a .html file for further analysis or review.
HTML Deobfuscator Examples
Here is an example of deobfuscating HTML that uses entity encoding and hex escape sequences—two of the most common HTML obfuscation techniques.
Example: Entity Encoding and Hex Escapes
Obfuscated input:
Deobfuscated output:
When the HTML Deobfuscator Helps
HTML obfuscation is used in phishing pages, spam emails, malicious ads, and copy-protected web content. This tool helps security researchers, web developers, and analysts quickly decode and read HTML that has been deliberately obscured. It handles the most common static obfuscation patterns; dynamic obfuscation that relies on JavaScript execution may require additional analysis in a browser developer tool or sandbox.
Frequently Asked Questions
What HTML obfuscation patterns does this tool decode?
This tool decodes named HTML entities (<, >, &, ", ', ), decimal numeric references (H), hex numeric references (H), unicode escapes in scripts (\u0048), and hex escapes in scripts (\x48). It also removes comments containing long random strings and pretty-prints the output.
Is my HTML sent to a server?
No. All processing runs entirely in your browser using JavaScript. Your HTML code is never uploaded to any server.
Can this tool handle deeply nested HTML?
Yes. The pretty-printer adds proper indentation for nested tags, handles self-closing tags like
, , and , and formats the output for readability.
Does it decode obfuscated JavaScript inside script tags?
It decodes static unicode and hex escapes (\u and \x) inside inline scripts. Dynamically evaluated JavaScript obfuscation (e.g., eval-based) requires a JavaScript deobfuscator.
What file formats can I upload?
You can upload .html, .htm, and .txt files. The file contents are loaded into the editor and deobfuscated automatically.
Related Tools
For more information on HTML entities, see the MDN HTML Entity reference.