HTML Escape / Unescape
Convert HTML special characters like <, >, &, and " to their HTML entity equivalents, or decode HTML entities back to plain text. Essential for safely displaying user-generated content in web pages and preventing XSS attacks.
Common HTML Entities Reference
| Char | Entity Name | Entity Number | Description |
|---|---|---|---|
| & | & | & | Ampersand — must always be escaped in HTML |
| < | < | < | Less than — starts HTML tags |
| > | > | > | Greater than — ends HTML tags |
| " | " | " | Double quote — used in attribute values |
| ' | ' | ' | Single quote / apostrophe |
| |   | Non-breaking space | |
| © | © | © | Copyright symbol |
| ® | ® | ® | Registered trademark |
| ™ | ™ | ™ | Trademark symbol |
| — | — | — | Em dash |
Why HTML Escaping Matters
HTML escaping is a critical security practice. When you display user-generated content in a web page without escaping it, attackers can inject malicious HTML or JavaScript — a vulnerability known as Cross-Site Scripting (XSS). For example, if a user submits <script>alert('hacked')</script> as their name and you display it unescaped, the script will execute in every visitor's browser.
When to Escape HTML
- Displaying user-submitted text in web pages
- Rendering API response data in HTML templates
- Showing code examples or HTML snippets on a page
- Storing HTML content in JSON or XML attributes
- Generating HTML emails with dynamic content
- Embedding HTML in JavaScript string literals
HTML Escape vs URL Encode vs JSON Escape
- HTML Escape — converts
<to<— use when inserting text into HTML - URL Encode — converts spaces to
%20— use for query parameters and URLs - JSON Escape — converts
"to\"— use when embedding strings in JSON
Use the JSON Escape tool to safely embed strings inside JSON documents.
HTML Escaping Best Practices for Developers
HTML escaping is one of the most fundamental security practices in web development. Failing to escape user-generated content before rendering it in HTML is the root cause of Cross-Site Scripting (XSS) — one of the most common and dangerous web vulnerabilities. Here are the best practices every developer should follow:
- Always escape output, not input — escape HTML at the point where you render it, not when you store it. This preserves the original data and allows you to render it in different contexts (HTML, JSON, URL) with the appropriate escaping for each.
- Use template engines — modern frameworks like React, Vue, Angular, and Jinja2 auto-escape HTML by default. Only use raw HTML rendering when you explicitly trust the content.
- Escape all five characters — always escape
&,<,>,", and'to be safe in all HTML contexts. - Context matters — HTML escaping is for HTML content. Use URL encoding for URLs, JSON escaping for JSON, and CSS escaping for CSS values.
HTML Escaping in Different Programming Languages
JavaScript
Use textContent instead of innerHTML to automatically escape HTML. For manual escaping, replace &, <, >, ", and '.
Python
Use html.escape(text) from the built-in html module. Jinja2 templates auto-escape by default when configured correctly.
PHP
Use htmlspecialchars($text, ENT_QUOTES, 'UTF-8') to escape all five special characters including single and double quotes.
Java
Use StringEscapeUtils.escapeHtml4() from Apache Commons Text, or use a template engine like Thymeleaf which auto-escapes by default.
HTML Entities for Special Symbols
Beyond security escaping, HTML entities are also used to display special symbols that cannot be typed directly or that have special meaning in HTML:
—— em dash (—) used in typography–— en dash (–) used in ranges…— ellipsis (…)«and»â€” left and right angle quotes (« »)×— multiplication sign (×)÷— division sign (÷)€â€” euro sign (€)£â€” pound sign (£)
Related Tools
- JSON Escape / Unescape — escape special characters inside JSON strings
- URL Encoder / Decoder — percent-encode URLs and query parameters
- Hash Generator — generate MD5, SHA-256, SHA-512 hashes
- Text Case Converter — convert text to camelCase, snake_case, and more
- JSON Formatter — format and validate JSON documents