Free HTML Escape / Unescape Online

Escape and unescape HTML entities online — convert special characters to safe entities instantly.

Input

Mode:

Output

What Is HTML Escaping?

You're building a page that displays user comments, and someone submits <script>alert(1)</script>. If you render that without escaping, congratulations — you just shipped an XSS vulnerability. HTML escaping converts the five dangerous characters (&, <, >, ", ') into their safe entity equivalents as defined in the HTML Living Standard. The MDN entity reference has the full list. For URL contexts, use encodeURIComponent instead — HTML escaping and URL encoding are different beasts.

This tool has two modes: Escape and Unescape. Both run entirely in your browser; no data is sent to a server.

How to Use This Tool

1

Choose Mode

Select Escape to convert special characters to HTML entities, or Unescape to convert entities back to their original characters.

2

Paste or Upload Text

Paste your text or HTML into the left editor, or use Upload to load a file. Click Sample to try an example.

3

Copy or Download Result

The right panel updates automatically. Use Copy or Download to save the result. To format HTML, try the HTML Formatter tool.

HTML Escape Examples

Escaping converts special characters to HTML entities so they render as text:

Raw input (with special characters)

Input

Escaped output (HTML entities)

Output

When HTML Escaping Matters

When you display user-provided content in HTML, you must escape it first to prevent Cross-Site Scripting (XSS) attacks. An attacker could inject <script> tags or event handlers that execute arbitrary JavaScript. Escaping renders those characters harmless as text.

Unescaping is useful when you receive HTML-escaped content (e.g. from a database or API) and want to display or process the original text. See also HTML Unescape which starts in Unescape mode.

Frequently Asked Questions

What characters does the HTML escape tool convert?

The five characters that must be escaped in HTML: &&amp;, <&lt;, >&gt;, "&quot;, '&#39;. These are defined in the HTML Living Standard.

Is HTML escaping the same as URL encoding?

No. HTML escaping uses named/numeric entities (&amp;, &lt;) for HTML contexts. URL encoding uses percent-encoding (%26, %3C) for URLs. See MDN encodeURIComponent for URL encoding.

Why does the ampersand need to be escaped first?

Because & starts all HTML entities. If you escaped < first to &lt;, then escaped &, you'd get &amp;lt; — double-encoded. Always escape & first.

Is my data sent to a server when I use this tool?

No. All processing runs entirely in your browser using JavaScript. Your text never leaves your machine.

How does HTML escaping prevent XSS attacks?

By converting < and > to entities, any injected <script> tags become harmless text instead of executable code. The OWASP XSS guide recommends escaping as a primary defense.

Related Tools

HTML Unescape HTML Formatter JSON Escape HTML Minifier XML Escape

The HTML Living Standard defines character references. MDN on HTML entities. The OWASP XSS guide explains why escaping matters for security.