Herramienta browser-only
HTML escape y unescape
Convierte caracteres especiales a entidades HTML y viceversa para depuracion y contenido textual.
Advertencia: escapar ayuda en contextos concretos, pero no es una defensa XSS completa para HTML, atributos, URL, CSS o JavaScript.
Useful And Dangerous HTML Escaping Cases
Useful for:
- Showing code examples as text.
- Preventing accidental markup interpretation in text nodes.
- Debugging entity-encoded values.
Do not use for:
- Sanitizing arbitrary HTML by itself.
- Allowing untrusted scripts, event handlers, or unsafe URLs.
- Replacing framework output escaping.
Safer alternatives:
- Use framework escaping by default.
- Use a trusted HTML sanitizer when rich HTML is required.
Privacidad y limitaciones
HTML escaping and unescaping runs locally in your browser. Input is not uploaded.
- Escaping text is not a complete XSS defense by itself; the correct escaping depends on the HTML, attribute, URL, CSS, or JavaScript context.
- Do not use untrusted decoded HTML as executable markup unless your application sanitizes it correctly.
- This tool is for text transformation and debugging, not for replacing framework-level output escaping.
FAQ
Does HTML escaping prevent XSS?
It helps when text is inserted into the correct HTML text context, but complete XSS prevention depends on context-aware escaping and sanitization.
Which characters are escaped?
This tool escapes ampersand, less-than, greater-than, double quotes, single quotes, and backticks.
Is unescaping HTML dangerous?
It can be dangerous if decoded content is inserted into a page as trusted HTML. Treat untrusted decoded output as text unless sanitized.
Should I use this instead of my framework escaping?
No. Framework escaping should remain the primary protection in applications. This page is for inspection, examples, and manual conversion.
Why are quotes escaped?
Quotes matter when text is inserted into HTML attributes. Escaping them reduces accidental markup breakage.