What is HTML Escaping?
HTML escaping is the process of replacing characters that have special meaning in HTML with their corresponding entity references. The five characters that must be escaped are ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote ('). Without escaping, a browser interprets these characters as markup instructions rather than displayable text, which breaks page rendering and opens the door to injection attacks.
The HTML specification (maintained by WHATWG) defines two forms of character references: named entities like & and numeric entities like & or &. Named entities are easier to read in source code. Numeric entities (decimal or hexadecimal) can represent any Unicode code point, making them useful for characters that lack a named alias. Both forms produce identical output in the browser.
Unescaping (also called decoding) is the reverse operation: converting entity references back to their literal characters. This is common when extracting text from HTML source, migrating content between systems, or debugging templates that double-encode entities. This tool handles both directions in the browser, so you can verify your escaping logic or recover plain text from an HTML-heavy source in seconds.
Why Use an HTML Escape Tool?
Manually replacing angle brackets and ampersands across large blocks of text is tedious and error-prone. A dedicated tool converts your input in one step with no installation required.
⚡
Instant conversion
Paste text or HTML and get escaped or unescaped output immediately. No waiting for a server round-trip because all processing happens locally in JavaScript.
🔒
Privacy-first processing
Your input never leaves the browser. Nothing is sent to a server or stored anywhere, so you can safely escape markup containing credentials, API keys, or internal code.
📋
No account or setup
Open the page and start pasting. There is no login wall, no email gate, and no software to install. Works on any device with a modern browser.
🌐
Full entity coverage
Handles the five mandatory HTML special characters plus numeric entities (decimal and hexadecimal). Supports round-trip conversion: escape then unescape returns the original string.
HTML Escape Use Cases
Frontend developer: displaying user input
When rendering user-submitted text inside a page, escape it first to prevent the browser from interpreting it as HTML tags. This is the primary defense against stored XSS in any template that outputs raw strings.
Backend engineer: generating HTML responses
Server-side code that concatenates strings into HTML must escape dynamic values before insertion. Use this tool to verify that your escaping function produces the correct output for edge cases like nested quotes.
DevOps: embedding config in HTML
Inline JSON or shell commands inside an HTML page (for example, in a script tag or a data attribute) require escaping. Verify that angle brackets and ampersands in your config snippets are properly encoded.
QA engineer: testing XSS vectors
Paste common XSS payloads into the tool to confirm that your application's output matches the correctly escaped version. Compare the escaped output character by character against what your app produces.
Technical writer: code samples in documentation
Publishing code snippets in HTML-based docs (Jekyll, Hugo, custom CMSs) requires escaping angle brackets for generic type syntax and template placeholders. Paste your code sample and every special character is encoded instantly.
Student: learning HTML entities
Type or paste any character and see its named and numeric entity forms. Experiment with edge cases like non-breaking spaces, em dashes, and Unicode symbols to understand how HTML character encoding works.
HTML Entity Reference Table
The table below lists commonly used HTML entities. The five special characters (& < > " ') must always be escaped in HTML content and attribute values. Other entities are optional but useful for characters that are hard to type or ambiguous in source code.
| Character | Description | Named entity | Numeric entity |
|---|---|---|---|
| & | Ampersand | & | & |
| < | Less-than sign | < | < |
| > | Greater-than sign | > | > |
| " | Double quote | " | " |
| ' | Single quote / apostrophe | ' | ' |
| Non-breaking space | |   | |
| © | Copyright sign | © | © |
| ® | Registered sign | ® | ® |
| — | Em dash | — | — |
| ’ | Right single quote | ’ | ’ |
| € | Euro sign | € | € |
Escaping vs. Unescaping: When to Use Each
The two operations are inverses. Choosing the wrong direction produces double-encoded or unprotected output.
Escape (encode)
Use when inserting untrusted or dynamic text into HTML. Converts literal < to < so the browser displays the character instead of starting a tag. Apply before rendering user input, log entries, or any string that might contain markup.
Unescape (decode)
Use when extracting plain text from an HTML source. Converts < back to <. Apply when migrating content from a CMS, parsing scraped HTML, or fixing double-encoded strings like &amp; that display entity names instead of characters.
Code Examples
Below are working examples of HTML escaping and unescaping in four languages. Each snippet covers both directions and handles edge cases like nested quotes and numeric entities.
JavaScript (browser / Node.js)
// Escape HTML entities manually
function escapeHtml(str) {
return str
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
}
escapeHtml('<img src="x" onerror="alert(1)">')
// → "<img src="x" onerror="alert(1)">"
// Unescape using DOMParser (browser only)
function unescapeHtml(str) {
const doc = new DOMParser().parseFromString(str, 'text/html')
return doc.documentElement.textContent
}
unescapeHtml('<div>Hello</div>')
// → "<div>Hello</div>"Python
import html
# Escape special characters
html.escape('<script>alert("XSS")</script>')
# → '<script>alert("XSS")</script>'
# Escape including single quotes (quote=True is default in Python 3.8+)
html.escape("It's <b>bold</b>", quote=True)
# → 'It's <b>bold</b>'
# Unescape entities back to characters
html.unescape('<p>Price: €10</p>')
# → '<p>Price: €10</p>'
# Unescape numeric entities
html.unescape('<div>&amp;</div>')
# → '<div>&</div>'Go
package main
import (
"fmt"
"html"
)
func main() {
// Escape HTML special characters
escaped := html.EscapeString(`<a href="page?id=1&sort=name">Link</a>`)
fmt.Println(escaped)
// → <a href="page?id=1&sort=name">Link</a>
// Unescape back to original
original := html.UnescapeString("<b>Go & HTML</b>")
fmt.Println(original)
// → <b>Go & HTML</b>
}PHP
<?php
// Escape HTML entities (ENT_QUOTES escapes both " and ')
echo htmlspecialchars('<p class="info">Tom & Jerry's</p>', ENT_QUOTES, 'UTF-8');
// → <p class="info">Tom & Jerry's</p>
// Convert all applicable characters to HTML entities
echo htmlentities('Price: 10€ — 50% off', ENT_QUOTES, 'UTF-8');
// → Price: 10€ — 50% off
// Decode entities back
echo html_entity_decode('<div>&copy; 2026</div>');
// → <div>© 2026</div>Frequently Asked Questions
What is the difference between HTML escaping and URL encoding?
HTML escaping replaces characters that are special in HTML (< > & " ') with entity references like < so they display as text. URL encoding (percent-encoding) replaces characters that are unsafe in URLs with %XX hex sequences. They protect different contexts: HTML escaping prevents markup injection, while URL encoding ensures valid query strings and path segments.
Which characters must be escaped in HTML?
The five characters that must always be escaped are: & (ampersand), < (less-than), > (greater-than), " (double quote inside attributes), and ' (single quote inside attributes). Failing to escape any of these can break rendering or create a cross-site scripting vulnerability.
Is ' valid in HTML5?
Yes. The ' named entity is defined in the HTML5 specification and supported by all modern browsers. It was not part of HTML 4, which only recognized &, <, >, and ". If you need to support very old HTML 4 parsers, use the numeric form ' instead.
How do I fix double-encoded HTML entities like &amp;?
Double encoding happens when an already-escaped string passes through the escaping function a second time. The fix is to unescape until the output stabilizes. Paste the double-encoded string into this tool in unescape mode, then run it again if & references remain. To prevent double encoding, check whether the input is already escaped before applying the escape function.
Can I use HTML entities inside JavaScript strings?
HTML entities are interpreted by the HTML parser, not the JavaScript engine. Inside a script block, the code runs after the HTML parser processes the page, so < in a script block becomes < before JavaScript sees it. For inline event handlers (onclick, etc.), the attribute value is HTML-decoded first, then executed as JavaScript. In external .js files, entities have no special meaning and are treated as literal text.
What is the difference between htmlspecialchars and htmlentities in PHP?
htmlspecialchars() escapes only the five special characters (& < > " ') that affect HTML structure. htmlentities() escapes those five plus every character that has a named HTML entity, such as the copyright sign and accented letters. For security purposes, htmlspecialchars() with ENT_QUOTES is sufficient. htmlentities() is useful when you need ASCII-safe output for systems that cannot handle UTF-8.
Is HTML escaping enough to prevent XSS?
HTML escaping prevents XSS in the most common case: inserting untrusted text into HTML element content or attribute values. It does not protect other injection contexts. Inserting user data into a script block requires JavaScript string escaping. Inserting into a style attribute requires CSS escaping. Inserting into a URL attribute (href, src) requires URL validation plus encoding. A complete XSS defense applies context-specific escaping at every insertion point.