Input

Output

What is HTML Escape?

HTML escaping converts special characters into their HTML entity equivalents so they display as literal text instead of being interpreted as markup. For example, < becomes <, > becomes >, and & becomes &. This is essential when you want to show HTML code on a web page without the browser rendering it.

The WHATWG HTML specification defines a comprehensive list of named character references. Our tool handles the five critical characters that must always be escaped: ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote ('). These are the characters outlined by the W3C internationalization guidelines.

Everything runs entirely in your browser. No data is sent to any server - paste your HTML, get the escaped output, and copy it. Your content stays private.

How to Use the HTML Escape Tool

Follow these three steps to escape HTML characters. Each step uses the buttons and panels on this page.

Paste, Upload, or Load Sample HTML

Paste your HTML into the left Input panel, or click Upload to load an .html, .htm, or .txt file. Click Sample to see example HTML with special characters.

<p class="intro">Hello & welcome to the "demo" page!</p>

The tool accepts any text containing HTML markup or special characters.

View Escaped Output

The right Output panel shows the escaped HTML instantly. All special characters are converted to their entity equivalents: < to <, & to &, quotes to " and '.

Copy, Download, or Unescape

Click Copy to copy the escaped text to your clipboard. Click Download to save as a .txt file. Need to reverse the operation? Click Unescape to convert entities back to their original characters.

When You'd Use This

Displaying Code in Web Pages

Need to show HTML source code on a web page? Escape it first so the browser displays the tags as text instead of rendering them. Essential for documentation, tutorials, and code examples.

Sanitizing User Input

When displaying user-generated content, escaping HTML prevents malicious markup or scripts from executing. It's a fundamental step in web security to protect against injection attacks.

Embedding HTML in JSON or XML

Storing HTML content inside JSON strings or XML documents requires escaping special characters to maintain valid syntax and prevent parsing errors.

Preventing XSS Attacks

Cross-site scripting (XSS) attacks exploit unescaped HTML in web applications. Escaping user input before rendering it is a critical defense layer recommended by security best practices.

Common Questions

Which characters does HTML escape convert?

This tool escapes the five critical HTML characters: & to &, < to <, > to >, " to ", and ' to '. These are the characters that have special meaning in HTML markup.

Is HTML escaping the same as URL encoding?

No. HTML escaping converts characters to HTML entities (like <) for safe display in web pages. URL encoding (percent-encoding) converts characters to %XX format for safe use in URLs. They serve different purposes.

Does escaping HTML prevent XSS?

Escaping HTML output is one of the most important defenses against XSS attacks. However, a complete security strategy also includes input validation, Content Security Policy headers, and using secure frameworks.

Can I unescape the output back to original HTML?

Yes. Click the Unescape button on the output panel to reverse the operation. It converts all entity references back to their original characters.

Is my data stored anywhere?

No. All processing happens entirely in your browser using JavaScript. Your HTML content never leaves your computer — no server uploads, no data storage.

What about numeric character references?

This tool uses named entities where available (like <) and numeric references for single quotes ('). Both forms are valid according to the HTML specification.

Related HTML Tools

Escaping is one part of working with HTML. Here are other tools you might find useful: