XML Escape/Unescape
Escape or unescape XML special characters instantly
XML Input
Escaped Output
XML Escape Examples
Special characters (&, <, >, ", ') must be escaped in XML. Telecom-themed example:
Call log with special characters
Raw XML (note contains <, &, quotes):
Escaped output:
Use Sample above to load a call log into the editor.
What Is XML Escape/Unescape?
XML reserves certain characters for markup: &, <, >, ", and '. When these appear in text content or attribute values, they must be escaped as entities (&, <, etc.) or the parser will misinterpret them. The W3C XML specification defines entity references. Unescaping does the reverse—it turns entities back into the actual characters.
This tool has two modes: Escape and Unescape. Toggle between them at the top. Both run in your browser; nothing is sent to a server, so it's safe to use with production data or sensitive content.
How to Use This Tool
Choose Mode and Paste
Select Escape to convert special characters to entities, or Unescape to convert them back. Paste your XML (or escaped text) into the left editor, or upload a file. Use the toggle button to switch between modes.
View the Output
The right panel updates automatically. In Escape mode, reserved characters become entities. In Unescape mode, entities become the actual characters. Invalid or malformed input may produce unexpected results—validate with XML Validator if needed.
Copy or Download
Use <strong>Copy</strong> to put the result on your clipboard, or <strong>Download</strong> to save it as a file. For JSON escaping, use JSON Escape. For URL encoding, use XML URL Encode.
When XML Escaping Matters
When embedding user input or dynamic content in XML, unescaped < or & can break parsing or create security issues. Escaping ensures the content is treated as text, not markup. When you receive double-escaped XML (e.g. from a database or API that stores XML as a string), unescaping removes the extra layer so you can parse it correctly.
Frequently Asked Questions
When do I need to escape?
When embedding user input or special characters in XML text content or attributes. Browsers and parsers expect entities for reserved chars. Unescaped < can be interpreted as the start of a tag; & as the start of an entity.
What about CDATA?
CDATA sections (<![CDATA[...]]>) avoid escaping for large blocks of text. But ]]> must still be escaped or split inside CDATA, as it ends the section. The W3C XML spec defines CDATA rules.
Is my data private?
Yes. Processing runs entirely in your browser using JavaScript. No data is sent to any server. You can confirm this by opening your browser's Network tab while using the tool.
Related Tools
For more on XML escaping and entities, see the W3C XML entity references, the W3C XML specification, and W3C XML. For parsing XML in the browser, see MDN DOMParser. For HTML entities, see HTML named character references. For JSON escaping, see the JSON specification.