Developer Playground
HTML Escape / Unescape
Escape or unescape HTML entities in your text
Output
Result will appear here...About HTML Escape/Unescape
This tool helps you escape special HTML characters to their corresponding HTML entities or unescape HTML entities back to their original characters.
Examples:
<div>becomes<div>(escaped)<div>becomes<div>(unescaped)"Hello"becomes"Hello"(escaped)
Why Escape HTML?
HTML escaping is a critical security measure used to prevent Cross-Site Scripting (XSS) attacks. By converting special characters (like <, >, &, ", and ') into HTML entities, you ensure that web browsers treat user input as plain text rather than executable code or HTML markup.
How XSS Prevention Works
Imagine a user enters a comment: <script>alert('Hacked!')</script>. If your site displays this directly, the browser will execute the script. By escaping it, the text becomes:<script>alert('Hacked!')</script>
The browser will now safely display the literal characters instead of running the code.
Common HTML Entities Table
| Character | Entity Name | Entity Number |
|---|---|---|
< | < | < |
> | > | > |
& | & | & |
" | " | " |
' | ' | ' |
Escaping vs. Sanitizing
It's important to understand the difference between these two security concepts:
- Escaping: Converts all special characters into safe entities. The output will display exactly as the input but cannot be rendered as HTML.
- Sanitizing: Removes or strips out dangerous HTML tags and attributes (like
<script>oronclick) while allowing "safe" tags like<b>or<i>to remain. This is used when you want to allow some rich-text formatting.
Recommendation: Always Escape by default. Only use Sanitization (via libraries like DOMPurify) if you explicitly need to render user-provided HTML.
How to use this tool
Enter your raw HTML or text into the Input area. Click Escape HTML to safely encode characters for web display. Click Unescape HTML to decode previously escaped text back to its original form. You can also use the Load Test Example button to see how it works instantly.