HTML Tool
HTML Escape / Unescape
Convert HTML special characters like <, >, &, and " to their HTML entity equivalents, or decode HTML entities back to plain text. Essential for safely displaying user-generated content in web pages and preventing XSS attacks.
Input
Paste HTML to escape, or HTML entities to unescape
Output
Common HTML Entities Reference
| Char | Entity Name | Entity Number | Description |
|---|---|---|---|
| & | & | & | Ampersand — must always be escaped in HTML |
| < | < | < | Less than — starts HTML tags |
| > | > | > | Greater than — ends HTML tags |
| " | " | " | Double quote — used in attribute values |
| ' | ' | ' | Single quote / apostrophe |
| |   | Non-breaking space | |
| © | © | © | Copyright symbol |
| ® | ® | ® | Registered trademark |
| ™ | ™ | ™ | Trademark symbol |
| — | — | — | Em dash |
Why HTML Escaping Matters
HTML escaping is a critical security practice. When you display user-generated content in a web page without escaping it, attackers can inject malicious HTML or JavaScript — a vulnerability known as Cross-Site Scripting (XSS). For example, if a user submits <script>alert('hacked')</script> as their name and you display it unescaped, the script will execute in every visitor's browser.
When to Escape HTML
- Displaying user-submitted text in web pages
- Rendering API response data in HTML templates
- Showing code examples or HTML snippets on a page
- Storing HTML content in JSON or XML attributes
- Generating HTML emails with dynamic content
- Embedding HTML in JavaScript string literals
HTML Escape vs URL Encode vs JSON Escape
- HTML Escape — converts
<to<— use when inserting text into HTML - URL Encode — converts spaces to
%20— use for query parameters and URLs - JSON Escape — converts
"to\"— use when embedding strings in JSON
Need to escape JSON strings too?
Open JSON Escape →
Use the JSON Escape tool to safely embed strings inside JSON documents.