HTML Escape / Unescape

Encode and decode HTML entities online

Input

Enter HTML to escape

0 characters

Settings

Mode

Escape (HTML → Entities)

Unescape (Entities → HTML)

Entity Format

Keep Line Breaks

Encode All Characters

Named: < | Decimal: < | Hex: <

Output

HTML entities result

0 characters

About This Tool

HTML escaping is fundamental for web security and data display. I created this tool after dealing with countless XSS vulnerabilities during security audits and needing to safely display user-generated content. Whether you're sanitizing form inputs, debugging template engines, preparing data for JSON/XML serialization, or teaching web security concepts, proper HTML entity encoding is essential. The tool supports three entity formats: named entities (<, >), decimal entities (<, >), and hexadecimal entities (<, >)—each useful in different contexts. All processing happens client-side in your browser, making it safe for handling sensitive content or production HTML without sending data to any server.

How to Use

For escaping: paste your HTML or text containing special characters into the input panel. The tool automatically converts characters like <, >, &, ", and ' to their HTML entity equivalents in real-time. Choose your preferred entity format: Named (most readable, e.g., &), Decimal (widely compatible, e.g., &), or Hexadecimal (compact, e.g., &). Toggle 'Keep Line Breaks' to preserve or remove newlines. For unescaping: paste HTML with entities and the tool decodes them back to original characters. The 'Encode All Characters' option escapes even non-special characters, useful for maximum compatibility in edge-case scenarios.

Common Use Cases

XSS Prevention

Escape user input before displaying: '<script>alert(XSS)</script>' becomes '<script>alert(XSS)</script>'.

Template Debugging

Unescape rendered template output to see what HTML was actually generated.

JSON String Escaping

Prepare HTML fragments for JSON serialization by escaping quotes and special chars.

Displaying Code

Show HTML code examples on web pages by escaping tags so they appear as text.

Email HTML

Escape special characters in email subject lines or headers.

Database Storage

Escape HTML before storing in text fields to prevent rendering issues.

Limitations & Important Notes

This tool handles HTML entities defined in the HTML5 spec. It does NOT remove or sanitize potentially dangerous HTML attributes (like 'onclick', 'onerror') or JavaScript code—it only escapes character representations. For true XSS prevention, combine escaping with Content Security Policy (CSP) and input validation. The tool assumes UTF-8 encoding; other encodings may produce unexpected results. For very large documents (>5MB), browser memory limits may cause slowdowns—consider using server-side tools for bulk processing. Entity encoding increases text size (e.g., '<' becomes 4+ characters); not ideal for bandwidth-constrained scenarios.