Browser-only tool
HTML escape and unescape
Convert characters like <, >, &, quotes, and apostrophes to HTML entities, or decode common entities back to readable text.
Warning: escaping helps in specific text contexts, but it is not a complete XSS defense for every HTML, attribute, URL, CSS, or JavaScript context.
Useful And Dangerous HTML Escaping Cases
Useful for:
- Showing code examples as text.
- Preventing accidental markup interpretation in text nodes.
- Debugging entity-encoded values.
Do not use for:
- Sanitizing arbitrary HTML by itself.
- Allowing untrusted scripts, event handlers, or unsafe URLs.
- Replacing framework output escaping.
Safer alternatives:
- Use framework escaping by default.
- Use a trusted HTML sanitizer when rich HTML is required.
Privacy And Limitations
HTML escaping and unescaping runs locally in your browser. Input is not uploaded.
- Escaping text is not a complete XSS defense by itself; the correct escaping depends on the HTML, attribute, URL, CSS, or JavaScript context.
- Do not use untrusted decoded HTML as executable markup unless your application sanitizes it correctly.
- This tool is for text transformation and debugging, not for replacing framework-level output escaping.
FAQ
Does HTML escaping prevent XSS?
It helps when text is inserted into the correct HTML text context, but complete XSS prevention depends on context-aware escaping and sanitization.
Which characters are escaped?
This tool escapes ampersand, less-than, greater-than, double quotes, single quotes, and backticks.
Is unescaping HTML dangerous?
It can be dangerous if decoded content is inserted into a page as trusted HTML. Treat untrusted decoded output as text unless sanitized.
Should I use this instead of my framework escaping?
No. Framework escaping should remain the primary protection in applications. This page is for inspection, examples, and manual conversion.
Why are quotes escaped?
Quotes matter when text is inserted into HTML attributes. Escaping them reduces accidental markup breakage.