HTML Escape / Unescape
Convert special characters to HTML entities and back.
What is HTML Escape / Unescape?
An HTML escape tool converts characters that have special meaning in HTML (<, >, &, ", ') into their named or numeric entities so the browser renders them as literal text instead of parsing them as markup. The matching unescape converts entities like <, &, and ' back into the original characters. Escaping is the first line of defense against cross-site scripting (XSS) and is required any time user-supplied content lands inside an HTML document.
Web developers, CMS authors, and email template writers use HTML escape every time they need to display a code snippet, render a user comment safely, or paste raw markup into a documentation page.
Why use an HTML escape tool?
- Prevent XSS in user content. Escaping
<to<neutralizes any<script>tag that a hostile user pastes into a comment field. - Display HTML source inside HTML. Tutorials and docs that show markup need
<div>so the browser renders the text instead of creating a div. - Send HTML inside JSON or attributes. When an HTML fragment travels as a JSON value or HTML attribute, escaping the quotes and angle brackets keeps the wrapping syntax intact.
- Recover the source from rendered output. Pasting escaped markup into the unescape mode reveals exactly what the templating engine emitted.
- Stay private with sensitive content. The tool runs in the browser, so internal CMS payloads or proprietary templates never reach a third-party server.
How to use the HTML Escape / Unescape tool
- Choose Escape to turn raw HTML into entities, or Unescape to reverse the conversion.
- Paste the input into the Raw HTML or Escaped HTML field on the left.
- Read the result on the right; it updates as you type.
- Use the copy control on the output panel to grab the converted text.
- Toggle modes and paste the output back to confirm the round trip preserves your source.
HTML entity reference
The five characters every escaper must handle, plus the most common extras:
| Character | Named entity | Numeric entity | Why escape it |
|---|---|---|---|
& | & | & | Starts every entity; must come first |
< | < | < | Opens an HTML tag |
> | > | > | Closes an HTML tag |
" | " | " | Closes a double-quoted attribute |
' | ' | ' | Closes a single-quoted attribute |
| |   | Non-breaking space |
© | © | © | Copyright sign |
€ | € | € | Euro sign |
The order matters. Always escape & first, otherwise a later step that turns < into < would create a second entity to re-escape.
Examples
A comment that contains a fake script tag:
Raw input:
<script>alert('XSS')</script>
Escaped output:
<script>alert('XSS')</script>An attribute value with a quote:
Raw input:
<a title="She said "hi"">link</a>
Escaped attribute:
<a title="She said "hi"">link</a>When the browser renders the escaped form, it shows the literal characters and never parses them as markup, which neutralizes the injection.
Common use cases
- Comment and forum systems. Escape every user-submitted string before rendering to block stored XSS.
- Documentation that shows code. Markdown and MDX render
<correctly so readers see the tag instead of triggering it. - CMS template debugging. Editors paste escaped output back into the unescape mode to recover the original markup.
- Email templates. Newsletter HTML often round-trips through systems that escape angle brackets; the unescape mode restores the source.
- API responses that contain HTML. Backends that return rendered HTML inside JSON usually escape the response so the JSON parser does not break.
Frequently asked questions
What is HTML escaping?
HTML escaping replaces characters that the HTML parser treats specially with entity references. The browser then displays the original character as text instead of interpreting it as part of a tag, attribute, or entity.
When should I escape HTML?
Any time you insert untrusted text into an HTML document. That includes user comments, form values rendered in error pages, search terms echoed back to the user, and content pulled from external APIs. Templating engines like React, Vue, and Jinja escape by default; raw string concatenation does not.
Is HTML escape the same as URL encoding?
No. HTML escape uses entities like & for safe rendering inside HTML. URL encoding uses %26 for safe transport in URLs. They serve different contexts and are not interchangeable. Use the URL Encode / Decode tool for the latter.
Does HTML escaping prevent all XSS?
It prevents the most common form, HTML-context XSS. Other contexts (JavaScript strings, CSS values, URL attributes) need their own escaping rules. A <script> block, for example, needs JavaScript escaping instead.
Why are there both named and numeric entities?
Named entities (©) read better for humans, but only a fixed set is recognized. Numeric entities (©) work for any Unicode code point. Modern HTML5 supports thousands of named entities, so either is fine for the standard set.
Should I escape ' as ' or '?
In HTML5, both work. In older XHTML and some email clients, ' is unrecognized, so ' is safer.
Why does my escaped output look double-escaped?
It probably went through the escaper twice. Each & became &, then the existing & became &amp;. Run the unescape mode once to peel a layer.
Does the tool handle Unicode characters?
Yes. Non-ASCII characters pass through unchanged because they are valid in UTF-8 HTML documents.
Related tools
- Base64 Encoder / Decoder: Convert binary data to ASCII for JSON, headers, and data URLs.
- URL Encode / Decode: Percent-encode strings for safe use in URLs.
- JWT Decoder: Split a JWT into header, payload, and signature.
- Strip HTML Tags: Remove all HTML markup and keep the plain text content.
Related tools
ShotMark captures what you do here, in one click.
The traces, payloads, and tests you run by hand? ShotMark grabs the whole bug and hands it to your AI agent.