Tiny Toolkit

HTML Escape / Unescape

Convert special characters like <, >, &, and " into safe HTML entities, or convert HTML entities back to their original characters. Escaping user-generated content before inserting it into an HTML document is essential for preventing cross-site scripting (XSS) vulnerabilities. Toggle between encode and decode modes with a single click.

All processing happens in your browser. No data is sent to any server.

Frequently Asked Questions

Which characters does HTML escaping convert?
The five standard HTML entities: & becomes &amp;, < becomes &lt;, > becomes &gt;, " becomes &quot;, and ' becomes &apos;.
Does escaping HTML prevent XSS attacks?
HTML escaping is one important layer, but not a complete solution on its own. It's effective when inserting user-supplied text into HTML content. However, different contexts require different escaping — inserting values into JavaScript, URLs, or CSS attributes each need their own approach. For robust XSS prevention, use a content security policy (CSP) and a trusted sanitization library alongside HTML escaping.
When should I escape HTML?
Always escape user-supplied content before inserting it into an HTML document to prevent cross-site scripting (XSS) attacks.
Can I unescape HTML entities back to plain text?
Yes — paste your escaped HTML and switch to Unescape mode to convert all entities back to their original characters.

Related Tools

Word & Character Counter

Count words, characters, sentences, and paragraphs in your text instantly.

Case Converter

Convert text between UPPERCASE, lowercase, Title Case, snake_case, kebab-case, camelCase, and more.

Sort Lines

Sort lines of text alphabetically, numerically, or in reverse.