Advertisements

headerup to 320x100 / 728x90

HTML Escape

Escape HTML special characters

Input
Loading editor...
Output

Output will appear here...

Advertisements

content bottomup to 300x250

What is HTML Escape

Last reviewed:

HTML (HyperText Markup Language) is the core markup language for web pages, defining structure and content that browsers render.

HTML Escape replaces reserved HTML characters — &, <, >, ', and " — with their entity equivalents (&amp;, &lt;, &gt;, &#39;, &quot;) so the browser renders the characters as literal text instead of interpreting them as markup.

Escaping is the primary defense against HTML-context injection. Any content that originates from a user, database, or external API and ends up inside an HTML document must be escaped (or handled by a templating engine that escapes by default) to prevent cross-site scripting (XSS).

Why use it

  • Insert code samples, math expressions, or arbitrary user input into an HTML document as literal text.
  • Prevent XSS when rendering untrusted strings in legacy templates that don't auto-escape.
  • Encode strings for use as HTML attribute values, where an unescaped quote would break out of the attribute.

Features

  • Escapes the five reserved HTML characters (&, <, >, ', ") — the standard OWASP HTML-context set
  • Toggle between named entities (&amp;, &lt;) and numeric entities (&#38;, &#60;) for legacy XML compatibility
  • Optional non-ASCII escaping — emits &#NNNN; for every character above U+007F to survive latin-1 pipelines
  • Reverse operation (unescape) available in our companion HTML Unescape tool
  • All escaping happens in-browser — source never leaves your device, which matters for code samples under NDA

How to use HTML Escape

  1. Paste the source text. Drop or type any string containing raw HTML characters — code snippets, user input, API payloads — into the left editor.
  2. Pick the entity style. Toggle between named entities (&amp;) and numeric entities (&#38;). Named entities are more readable; numeric entities survive any encoding pipeline.
  3. Enable non-ASCII escape (optional). For content heading into a non-UTF-8 pipeline, enable 'escape non-ASCII' to encode every character above U+007F as a numeric entity.
  4. Copy the escaped output. Click Copy to grab the result. Paste into your HTML document, template, or JSON payload as needed.

Example (before/after)

HTML input

Start with the HTML input you want to process in HTML Escape.

HTML output

Get a HTML result from HTML Escape that is ready to review, copy, and reuse in the next step of your workflow.

Common errors

Unsupported input

The tool may reject input that does not match the expected content, structure, or file type.

Fix: Confirm the tool input requirements and paste the correct type of data.

Incomplete values

Missing fields or partial content can block processing or produce weak results.

Fix: Provide the full required input before running the tool.

Copying placeholder content

Sample or placeholder values can lead to output that looks valid but is not ready for real use.

Fix: Replace placeholders with your actual values before relying on the result.

FAQ

Does escaping prevent all XSS attacks?

For HTML text-context (content between tags), escaping these five characters is the standard defense. For attribute context, JavaScript context, or URL context, different escaping rules apply — see OWASP's XSS Prevention Cheat Sheet. A framework like React, Angular, or Vue handles all contexts automatically; this tool is for one-off escaping outside a framework.

What's the difference between named and numeric entities?

Named entities (&amp;, &lt;) are human-readable and are the idiomatic choice for modern HTML5. Numeric entities (&#38;, &#60;) are functionally identical but more portable — they survive XML pipelines, ASCII-only transport channels, and legacy email systems where named entities may not resolve.

Does the tool escape non-ASCII characters like é or 中?

Only if you enable the 'escape non-ASCII' option. By default, non-ASCII characters pass through unchanged because modern UTF-8 HTML documents render them correctly. Enable the option when targeting latin-1 pipelines, legacy CRMs, or ASCII-only transport like some SMTP servers.

Is escaping the same as URL-encoding?

No. HTML escaping targets markup-reserved characters inside an HTML document. URL-encoding (percent-encoding) targets reserved characters in a URL (%20 for space, %3F for ?, etc.). Use our URL Encoder for URL contexts; use this tool for HTML contexts.

How do I unescape already-escaped HTML?

Use our HTML Unescape tool (the inverse operation), or paste the escaped text into this tool's right pane and click the swap arrow. The reverse conversion decodes both named and numeric entities.

Does the tool handle multi-line input or preserve formatting?

Yes — newlines, tabs, and other whitespace pass through unchanged. Only the five reserved characters (and non-ASCII if enabled) are transformed. Indentation and line breaks are preserved verbatim.

Related tools

Continue the workflow with related tools for HTML, adjacent input and output steps, or other utilities in the same category. You can also browse the full Escape & Unescape Tools category for more options.

HTML Unescape

Unescape HTML entities

XML Escape

Escape XML special characters

C# Escape

Escape strings for C#

CSV Escape

Escape CSV special characters

Java Escape

Escape strings for Java

JSON Escape

Escape JSON special characters

SQL Escape

Escape SQL special characters

HTML Encoder/Decoder

Encode or decode HTML entities

HTML Entities Encoder

Encode text to HTML entities

HTML Entities <-> Text Converter

Convert text to HTML entities or decode HTML entities back to text in a single bidirectional tool

HTML Viewer

View and preview HTML

C# Escape / Unescape

Escape or unescape C# string literals including \x, \u, and \U Unicode escape sequences