HTML Escape — Convert HTML Special Characters & HTML Entities
Convert special HTML characters such as <, >, &, ", and ' into HTML entities like <, >, &, ", and ' so browsers display them as text instead of interpreting them as HTML.
You can also decode HTML entities back into their original characters.
Everything runs entirely in your browser and your input is never sent to a server.
Use the URL Encoding & Decoding tool when handling special characters in URLs,
and use the Base64 Encoding & Decoding tool when transferring data safely as text.
Why HTML Escape Matters — Prevent XSS and Display Content Safely
If HTML special characters are not escaped, browsers may interpret user input as executable code.
For example, rendering <script>alert('XSS')</script> directly may execute the script, while escaping displays it as plain text.
Escaping is essential wherever user-generated content appears, including comments, search results, and community features.
Even if your backend already handles sanitization, this tool makes output verification and testing faster.
Common HTML Entity Codes — Characters That Should Be Escaped
These are the most commonly escaped characters in HTML and their corresponding entity codes.
| Character | Entity Code | Description |
|---|---|---|
| < | < | Opening angle bracket, HTML tag |
| > | > | Closing angle bracket, HTML tag |
| & | & | Entity prefix (&) |
| " | " | Double quote in attributes |
| ' | ' | Single quote in attributes |
< and > are interpreted as HTML tags, while & marks the beginning of an entity and should be escaped first.
Double and single quotation marks should also be escaped inside HTML attributes to prevent broken markup.
is commonly used to preserve multiple spaces or create non-breaking spaces in HTML.
What Is HTML Unescape? — Convert HTML Entities Back into Characters
Unescape is the reverse of escaping. It converts HTML entities such as <, >, and & back into their original characters like <, >, and &.
Common use cases include restoring HTML entity strings stored in APIs or databases back into usable HTML,
converting escaped content imported from email templates or external systems before editing,
and debugging strings that were encoded multiple times on the server.
Use the ESCAPE / UNESCAPE buttons at the top of the tool to switch between both conversion modes.
Compare Escape Formats — HTML vs JavaScript vs JSON
The way special characters are escaped depends on where the content will be used.
HTML escaping uses entities such as <, >, &, and ". It is intended for text inserted directly into HTML markup.
JavaScript strings use backslash escaping such as \", \', and \\. This format is required for text embedded inside JavaScript code.
JSON escaping follows the JSON specification and escapes quotation marks and control characters. It is commonly used for API responses and JSON documents.
This tool supports HTML, JavaScript, and JSON formats so you can choose the correct output for your use case and copy it immediately.
HTML Escape Reference by Language — Server-Side Escaping Methods
After checking the output with this tool, HTML escaping should still be handled automatically on the server in real applications.
| Language | Escape Method |
|---|---|
| Java (Spring) | HtmlUtils.htmlEscape(str) |
| Java (Commons Text) | StringEscapeUtils.escapeHtml4(str) |
| JavaScript | textContent / createTextNode() |
| Python | html.escape(str) |
| PHP | htmlspecialchars($str, ENT_QUOTES) |
| Go | html.EscapeString(str) |
| Ruby | CGI.escapeHTML(str) |
Most template engines such as Thymeleaf, Jinja2, and Blade automatically escape values in expressions like th:text and {{ }}.
However, when rendering raw HTML using syntax such as th:utext or raw filters, the output should always be validated manually.
Frequently Used HTML Entities — Quick Copy Reference
Here are some of the HTML entities developers use most often. Click any value to copy and use it instantly.
| Character | Named Entity | Numeric Entity | Description |
|---|---|---|---|
| < | < | < | Less-than sign, tag opening |
| > | > | > | Greater-than sign, tag closing |
| & | & | & | Ampersand |
| " | " | " | Double quotation mark |
| ' | ' | ' | Single quotation mark |
| Space | |   | Non-breaking space |
| © | © | © | Copyright symbol |
| ® | ® | ® | Registered trademark |
| ™ | ™ | ™ | Trademark symbol |
| — | — | — | Em dash |
Named entities (such as <) and numeric entities (such as <) produce identical output.
Numeric entities can also represent characters that do not have predefined entity names.
Frequently Asked Questions
Yes. They are completely different encoding processes.
HTML escaping converts special characters into forms such as < and & so browsers treat them as text instead of HTML tags or entities.
URL encoding converts characters that are not safe to use directly in URLs into percent-encoded values such as %2F and %20.
Because their purposes are different, using one in place of the other may lead to unexpected results.
If HTML content needs to be passed through URL parameters, apply URL encoding for transmission and perform HTML escaping separately when displaying the content.
Yes. Escaping is important in many scenarios beyond XSS prevention.
A common example is inserting user input directly into HTML attributes.
If a value containing quotation marks is placed into attributes such as href or value without escaping, the attribute structure may break and cause unintended behavior.
Context-aware escaping is also important for email templates, PDF generation, CSV exports, and other output formats where special characters are interpreted differently.
Yes. When using the th:text attribute, Thymeleaf automatically applies HTML escaping.
For example, if the model contains test, rendering it with th:text displays the markup as plain text instead of interpreting it as HTML.
By contrast, th:utext outputs HTML without escaping. Using it with untrusted input may introduce XSS vulnerabilities.
Use th:utext only for content from trusted sources, such as HTML that has been created and reviewed internally.
No. All escape and unescape processing runs entirely inside your browser.
Your input is not transmitted to external servers, including HTML code, scripts, API keys, or other text entered into the tool.
This tool only converts characters that normally require escaping in HTML, such as <, >, &, ", and '.
Unicode characters, emoji, and most modern writing systems are generally displayed correctly in HTML5 when UTF-8 encoding is used and do not require additional HTML escaping.
However, some legacy systems or ASCII-only environments may require numeric character references based on Unicode code points instead of direct character output. In those cases, separate character encoding handling may still be necessary.
Not exactly, although the terms are often used interchangeably.
An HTML entity is a notation defined by HTML to represent specific characters, such as <, &, and ©.
HTML escaping refers to converting special characters into HTML entities so browsers display them as text rather than interpreting them as markup.
In other words, HTML entities are the result of escaping. In search results and developer documentation, both terms are frequently treated as equivalent.