HTML Escape
HTML Escape converts the five characters that carry special meaning in markup — &, <, >, double quote and single quote — into their entity equivalents, so a snippet of text or code is displayed verbatim instead of being interpreted as HTML. Switch to Unescape to reverse it.
This is the focused, security-minded transform you apply to untrusted input before placing it on a page. It runs entirely in your browser.
How to use HTML Escape
- 1
Choose a direction
Escape to make text safe for markup, or Unescape to reverse it.
- 2
Paste your text
Enter the snippet, code sample or untrusted string.
- 3
Copy the result
Use the escaped output directly inside your HTML.
Why escaping prevents XSS
Cross-site scripting happens when untrusted text is dropped into a page and the browser interprets part of it as markup or script. Escaping the reserved characters means a stray <script> tag becomes the literal text <script> — visible to the reader but inert to the browser.
Escaping these five characters is the baseline defence whenever you render user-supplied content. Frameworks do it automatically; this tool lets you do it by hand for snippets, templates and debugging.
Escape vs full encode
Escaping is deliberately minimal: it changes only the characters that matter for safety and leaves everything else, including accents and Unicode, untouched and readable. That keeps the output close to the original.
When you also want to convert non-ASCII characters into entities — for storage or ASCII-only transports — use the HTML Encoder instead.
Frequently asked questions
- Which characters does it escape?
- The five reserved characters: & becomes &, < becomes <, > becomes >, double quote becomes " and single quote becomes '.
- Is escaping reversible?
- Yes. The Unescape direction converts those same entities back into their characters.
- Is my text uploaded?
- No. Escaping runs entirely in your browser.
Last updated: