Home/Encoding Tools/HTML escape / unescape

HTML escape / unescape

HTML Escape and Unescape Tool

Protect markup, debug payloads, and keep strings safe for templates.

0 -> 0 bytes Waiting
InputPaste HTML or entities
OutputUpdates live
Escapes & decodes entities safely Live output with swap Great for templates and payloads

How it works

Escaping swaps HTML-sensitive characters for entities so browsers treat them as text; unescaping reverses that mapping to restore the original markup or string.

  • Escapes &, <, >, \" , and ' to keep payloads safe in HTML contexts.
  • Escaping is not XSS prevention alone; validate inputs and use proper templating.

Quick examples

Escape HTML
<div class=\"hero\">Tom & Jerry
<div class="hero">Tom & Jerry</div>
Unescape entities
&lt;script&gt;alert('ok')&lt;/script&gt;
<script>alert('ok')</script>

Escape before injecting user text; unescape when you need to inspect encoded payloads.

Mini FAQ

Which characters get escaped?

&, <, >, double quotes, and single quotes are converted to entities.

Why does unescape need a browser?

It relies on DOM parsing; running server-side without a DOM would fail.

Does this stop XSS?

It helps, but you still need proper templating and validation.