HTML Escape
Convert &, <, >, " and other HTML special characters to their safe entity equivalents. Essential for preventing XSS vulnerabilities.
<
→
<
>
→
>
&
→
&
"
→
"
Why use HTML Escape & Unescape?
When displaying user-generated content in a web page, characters like <, >, and & must be converted to their HTML entity equivalents to prevent the browser from interpreting them as markup. Failing to escape HTML is one of the most common causes of Cross-Site Scripting (XSS) vulnerabilities. Conversely, unescape converts entities back to readable text for display or processing. Related: URL encoding and Base64 in the developer tools category.
XSS prevention
Escaping user input before rendering it in HTML is the primary defence against Cross-Site Scripting attacks.
Two-way conversion
Escape raw HTML to entities, or unescape entities back to their original characters — both in one tool.
Instant output
Results update in real time as you type, and the swap button lets you chain encode/decode operations without copy-pasting.
HTML entities reference
These five entities are the most critical to escape when rendering untrusted content in HTML.
| Character | Named entity | Numeric entity | Why escape it |
|---|---|---|---|
| & | & | & | Starts all HTML entities — must be escaped first |
| < | < | < | Opens HTML tags — key XSS vector if unescaped |
| > | > | > | Closes HTML tags — required for safe rendering |
| " | " | " | Breaks out of attribute values enclosed in double quotes |
| ' | ' | ' | Breaks out of attribute values enclosed in single quotes |