HTML Escape / Unescape

Convert special characters to HTML entities and decode them back for templates, HTML, emails and code samples.

Back to all tools on ToolForge

More in Encoding & Decoding

Input



Output

About HTML Escape / Unescape

The HTML Escape / Unescape tool lets you convert special characters to HTML entities and back when working with HTML, templates and emails.

HTML Entity Conversion

// HTML Escape function
function escapeHtml(text) {
  return text
    .replace(/&/g, "&")   // & must be first
    .replace(//g, ">")    // Greater than
    .replace(/"/g, """)  // Double quote
    .replace(/'/g, "'");  // Single quote
}

// HTML Unescape function
function unescapeHtml(text) {
  return text
    .replace(/</g, "<")
    .replace(/>/g, ">")
    .replace(/"/g, '"')
    .replace(/'/g, "'")
    .replace(/&/g, "&");
}

Common HTML Entities

Character Entity Name Entity Number Description
< &lt; &#60; Less than
> &gt; &#62; Greater than
& &amp; &#38; Ampersand
" &quot; &#34; Double quote
' &apos; (or &#39;) &#39; Single quote
&nbsp; &#160; Non-breaking space

XSS Prevention Example

Malicious input:

<script>alert('XSS')</script>

After escaping (safe to display):

&lt;script&gt;alert('XSS')&lt;/script&gt;

The escaped version displays as text instead of executing as JavaScript.

Frequently Asked Questions

What are HTML entities and why use them?
HTML entities are special character sequences that represent characters with reserved meaning in HTML. The five essential entities are: & (ampersand), < (less than), > (greater than), " (double quote), and ' (single quote). They prevent HTML injection and ensure special characters display correctly.
When should I escape HTML?
Escape HTML when: displaying user-generated content to prevent XSS attacks, showing code examples in documentation, embedding JSON/XML in HTML pages, generating email templates, and inserting dynamic content into HTML attributes or text nodes.
What is the difference between encoding and escaping?
In this context, 'escaping' and 'encoding' refer to the same process: converting special characters to their entity equivalents. HTML escaping replaces < with <, > with >, & with &, etc. This is different from URL encoding (%XX format) or Base64 encoding.
How do I prevent XSS attacks?
Always escape user input before rendering in HTML. Never insert raw user data into the DOM using innerHTML. Use textContent for text insertion, or escape special characters first. For attribute values, always quote attributes and escape quotes within values.