HTML escape / unescape
HTML Escape and Unescape Tool
Protect markup, debug payloads, and keep strings safe for templates.
0 -> 0 bytes Waiting
InputPaste HTML or entities
OutputUpdates live
Escapes & decodes entities safely Live output with swap Great for templates and payloads
How it works
Escaping swaps HTML-sensitive characters for entities so browsers treat them as text; unescaping reverses that mapping to restore the original markup or string.
- Escapes &, <, >, \" , and ' to keep payloads safe in HTML contexts.
- Escaping is not XSS prevention alone; validate inputs and use proper templating.
Quick examples
Escape HTML
<div class=\"hero\">Tom & Jerry
<div class="hero">Tom & Jerry</div>
Unescape entities
<script>alert('ok')</script>
<script>alert('ok')</script>
Escape before injecting user text; unescape when you need to inspect encoded payloads.
Mini FAQ
Which characters get escaped?
&, <, >, double quotes, and single quotes are converted to entities.
Why does unescape need a browser?
It relies on DOM parsing; running server-side without a DOM would fail.
Does this stop XSS?
It helps, but you still need proper templating and validation.
Related tools