Is my HTML code sent to a server?

No. All deobfuscation runs entirely in your browser. Your code is never uploaded.

Does it remove HTML comments used for obfuscation?

Yes. HTML comments that contain long random-looking strings (typically used to hide or confuse code readers) are removed from the output.

HTML Deobfuscator - Deobfuscate HTML Online Free

Input

Deobfuscated Output

What Is the HTML Deobfuscator?

The HTML Deobfuscator reverses common obfuscation patterns found in HTML files. Paste obfuscated or minified HTML and get clean, readable output. HTML obfuscation is commonly used to hide source code intent, protect email addresses from scrapers, or disguise malicious payloads.

This tool runs entirely in your browser. No code is sent to any server. It decodes named HTML entities (<, >, &), numeric character references (H), hex character references (H), unicode escapes in inline scripts (\u0048), and hex escapes (\x48). It also removes obfuscation comments and pretty-prints the resulting HTML with proper indentation.

How to Use This Tool

Paste or Upload

Paste obfuscated or minified HTML into the left panel, or upload a .html, .htm, or .txt file. Click Sample to load an example.

View Deobfuscated Output

The right panel shows cleaned and formatted HTML. Entities are decoded, script escapes are resolved, and the markup is indented for readability.

Copy or Download

Use Copy or Download to save the result as a .html file for further analysis or review.

HTML Deobfuscator Examples

Here is an example of deobfuscating HTML that uses entity encoding and hex escape sequences—two of the most common HTML obfuscation techniques.

Example: Entity Encoding and Hex Escapes

Obfuscated input:

Input

Deobfuscated output:

Output

When the HTML Deobfuscator Helps

HTML obfuscation is used in phishing pages, spam emails, malicious ads, and copy-protected web content. This tool helps security researchers, web developers, and analysts quickly decode and read HTML that has been deliberately obscured. It handles the most common static obfuscation patterns; dynamic obfuscation that relies on JavaScript execution may require additional analysis in a browser developer tool or sandbox.

Frequently Asked Questions

What HTML obfuscation patterns does this tool decode?

This tool decodes named HTML entities (<, >, &, ", ',  ), decimal numeric references (H), hex numeric references (H), unicode escapes in scripts (\u0048), and hex escapes in scripts (\x48). It also removes comments containing long random strings and pretty-prints the output.

Is my HTML sent to a server?

No. All processing runs entirely in your browser using JavaScript. Your HTML code is never uploaded to any server.

Can this tool handle deeply nested HTML?

Yes. The pretty-printer adds proper indentation for nested tags, handles self-closing tags like <br>, <img>, and <input>, and formats the output for readability.

Does it decode obfuscated JavaScript inside script tags?

It decodes static unicode and hex escapes (\u and \x) inside inline scripts. Dynamically evaluated JavaScript obfuscation (e.g., eval-based) requires a JavaScript deobfuscator.

What file formats can I upload?

You can upload .html, .htm, and .txt files. The file contents are loaded into the editor and deobfuscated automatically.

Related Tools

For more information on HTML entities, see the MDN HTML Entity reference.

Error

Success