HTML Escape / Unescape

Q: Which characters are escaped?

Five special characters — &, , ", ' — are converted to HTML entities.

Convert HTML special characters to entities, and restore entity strings back to characters.

When to use?

Use it to put code examples verbatim into an HTML document, to keep user input from running as tags by converting &, <, >, and quotes to entities, or to read entity strings like <div> from an API response back into characters.

How to use

Escape: enter text to convert &, <, >, ", ' into HTML entities.
Unescape: enter text with HTML entities to convert back to characters.

Input Explanation

Enter the original text/code/user input to escape, or the HTML entity string to unescape.

Calculation Basis

Escapes: & → &, < → <, > → >, " → ", ' → '. Unescape restores major named entities and decimal/hex numeric entities to characters.

Usage Examples

Verify XSS prevention - Check that angle brackets and quotes in user input become HTML entities.
Insert code blocks - Escape code examples so tags do not execute inside an HTML document or blog post.
Restore entities - Convert entity-encoded text back to characters for readability.
Check logs/API responses - See what characters entities like &lt; and < originally represented.

Examples

"<script>alert(1)</script>" → "<script>alert(1)</script>"
"Tom & Jerry" → "Tom & Jerry"

Cautions

Malformed source data can cause parsing errors or broken output.
A mismatched encoding standard or complex nested data may break or drop the structure.

Guides

What HTML escaping is

It converts HTML special characters like <, >, &, ", ' into entities such as <, >, &. Outputting user input directly into HTML risks XSS, so escaping is needed.

Using unescape

To turn entity-encoded HTML back into original text, use unescape. Useful for reading HTML text returned by a server.

Distinguish output contexts

HTML body, HTML attributes, URLs, and JavaScript strings each need different escaping rules. This tool suits checking basic characters for plain HTML text output.

Check numeric entities

Decimal entities like < and hex entities like < can mean the same character. Use unescape to confirm the real character in logs or API responses.

FAQ

Which characters are escaped?

Five special characters — &, <, >, ", ' — are converted to HTML entities.

Can it handle all HTML entities?

It supports major entities and numeric entities ({, {).

Why is escaping needed?

Leaving < or > as-is makes the browser interpret them as tags, so converting to entities shows them as literal characters.

Does escaping alone fully prevent XSS?

It depends on the output context. This tool covers basic escaping for text in an HTML body; URL, attribute, and script contexts need separate handling.

Related Tools

HTML Formatter - Tidy HTML markup with consistent indentation and line breaks.
HTML → JSX Converter - Convert HTML markup into the attribute names and style format used in React JSX.
Markdown → HTML Converter - Convert a Markdown document to HTML with a rendered preview.
URL Encode / Decode - Encode text into URL-safe form (%XX) or decode an encoded URL back to text.
Base64 Converter - Encode text to Base64 or decode a Base64 string back to text.
Color Code Converter - Convert HEX, RGB, RGBA, HSL, HSLA color codes to each other and preview the color.