Tiny Toolkit

HTML Escape / Unescape — Convert Special Characters

Convert special characters like <, >, &, and " into safe HTML entities, or convert HTML entities back to their original characters. Escaping user-generated content before inserting it into an HTML document is essential for preventing cross-site scripting (XSS) vulnerabilities. Toggle between encode and decode modes with a single click.

All processing happens in your browser. No data is sent to any server.

Frequently Asked Questions

Which characters does HTML escaping convert?
The five standard HTML entities: & becomes &amp;, < becomes &lt;, > becomes &gt;, " becomes &quot;, and ' becomes &apos;.
Does escaping HTML prevent XSS attacks?
HTML escaping is one important layer, but not a complete solution on its own. It's effective when inserting user-supplied text into HTML content. However, different contexts require different escaping; inserting values into JavaScript, URLs, or CSS attributes each need their own approach. For robust XSS prevention, use a content security policy (CSP) and a trusted sanitization library alongside HTML escaping.
When should I escape HTML?
Always escape user-supplied content before inserting it into an HTML document to prevent cross-site scripting (XSS) attacks.
Can I unescape HTML entities back to plain text?
Yes. Paste your escaped HTML and switch to Unescape mode to convert all entities back to their original characters.

Related Tools

Word Counter — Count Words, Characters & More Online

Count words, characters (with and without spaces), sentences, and paragraphs in real time. Paste any text and get instant stats. Free.

Case Converter

Convert text between UPPERCASE, lowercase, Title Case, snake_case, kebab-case, camelCase, and more.

Sort Lines — Sort Text Alphabetically or by Length

Sort any list of lines alphabetically, by length, or in reverse order. Includes a case-sensitive toggle and options to sort A→Z, Z→A, shortest first, or longest first. Free.

Related Articles

How to Escape HTML Characters (And Why It Matters)

Displaying user-generated content without escaping HTML special characters is one of the most common causes of XSS vulnerabilities. Here's how to do it right.

5 min read

How to Create SEO-Friendly URL Slugs

A slug is the human-readable part of a URL. Clean, consistent slugs improve readability, shareability, and search engine rankings.

5 min read