HTML Escape / Unescape
Escape raw text to HTML entities so it displays literally in a browser, or unescape entities back to readable characters. Use it when writing code examples for documentation, embedding user-supplied text in templates, or debugging double-escaped HTML output.
How to Escape and Unescape HTML
- 1Paste your text or HTML into the input area
- 2Click 'Escape HTML' to convert special characters to entities
- 3Or click 'Unescape HTML' to convert entities back to characters
- 4Copy the result to use in your code or template
Key Benefits
- Escapes the five HTML-special characters: &, <, >, ", and '
- Unescapes named entities (&, <) and numeric entities (')
- Handles both directions — escape for display, unescape for reading
- Runs entirely in your browser — no data leaves your device
Frequently Asked Questions
What does HTML escaping do?
HTML escaping replaces characters that have special meaning in HTML with their safe entity equivalents: & becomes &, < becomes <, > becomes >, " becomes ", and ' becomes '. This tells the browser to display these characters as text rather than interpreting them as HTML markup — essential whenever you display user-provided content or show code examples inside a web page.
When do I need to escape HTML?
tool.htmlEscapeUnescape.faqA2
What is the difference between HTML escaping and URL encoding?
HTML escaping targets the five characters that have special meaning in HTML markup (&, <, >, ", '). URL encoding (percent-encoding) converts characters that are not safe in a URL into %XX sequences. They solve different problems: HTML-escaped text is safe inside HTML documents; URL-encoded text is safe inside URL parameters and paths. They are not interchangeable — using HTML escaping on a URL breaks the URL, and using URL encoding inside HTML does not prevent XSS.
What is the difference between escaping and sanitizing HTML?
Escaping converts all special characters to entities, making the entire input display as literal text — nothing is interpreted as markup. Sanitizing selectively keeps safe tags and attributes (like <b> or <a href="...">) while removing or neutralizing dangerous ones (like <script> or onclick handlers). For displaying plain text, always escape. Only sanitize when you specifically want to allow a subset of user-authored HTML markup, such as in a rich-text comment field.
Are there characters that don't need HTML escaping?
Regular letters, digits, and most punctuation (!, ?, ., ,, etc.) are safe in HTML and don't need escaping. Only & and < must always be escaped in text content; > is technically safe but conventionally escaped. Double quotes (") need escaping inside double-quoted attribute values; single quotes (') need escaping inside single-quoted attribute values. Named or numeric entities for other characters (like © or —) are optional in UTF-8 HTML5 — those characters are valid without escaping.
When does escaping happen automatically, and when doesn't it?
Most templating engines (Jinja2, Handlebars, ERB, Blade, Twig) escape output by default in their standard interpolation syntax. React escapes text children automatically. The danger is in the explicit escape hatches: React's dangerouslySetInnerHTML, Vue's v-html, Django's |safe, PHP's echo with no htmlspecialchars, and any hand-built HTML string concatenation. These require you to ensure the content is safe before rendering it. Note: HTML entity rules do not apply inside <script> or <style> blocks — those contexts follow JavaScript and CSS syntax, not HTML.