Skip to content
World Cup Kickoff Time Converter is liveSee kickoff times in your time zone and add calendar reminders.
CrateX.app logo

CrateX.app

HTML Escape/Unescape

Escape HTML special characters to entities, or unescape named, decimal, and hex character references locally for tag display and code examples.

Input Text

Characters

0 / 50,000
HTML Escape/Unescape

Quick Start

1
Enter HTML or escaped entity text.
2
Click Encode or Decode.
3
Convert in the same editor.
4
Copy the current result.

Common scenarios

User comments

escape untrusted text before displaying it inside an HTML content area.

Blog posts

display HTML tags and snippets in articles.

Forum posts

show user text without letting pasted tags render as markup.

Chat messages

turn pasted markup into visible text before it reaches an HTML content area.

Form data

inspect and copy escaped values before displaying submitted text.

Code display

show HTML or JavaScript snippets on web pages.

Escaping Rules & Entities

Encode handles six characters: & < > " ' /. Slash escaping is included for compatibility, but most HTML text and attribute contexts do not require it.
Fixed encode map: & becomes &amp;, < becomes &lt;, > becomes &gt;, " becomes &quot;, ' becomes &#39;, and / becomes &#x2F;.
Attribute text: " becomes &quot; and ' becomes &#39;, but attribute names, event handlers, and URL protocols still need context-specific handling.
Script examples: escape <script> before placing it in an HTML content context so it is displayed as text.
Tag display: write <div> as &lt;div&gt; so the browser shows it as text instead of parsing it as markup.

Escape vs Sanitization Boundaries

Encode uses a fixed six-character map. It does not turn every Unicode character into a named, decimal, or hexadecimal entity.
Decode uses browser HTML parsing rules for character references. Unknown or incomplete entities may stay unchanged instead of producing a validation report.
Escaping shows tags as text. Sanitization filters tags, attributes, events, and protocols. This page only does the first task.
HTML content, attributes, JavaScript strings, CSS, URLs, JSON, and Markdown all need different escaping rules.
The page has no HTML preview, formatter, validator, DOM tree, XSS report, file upload, or download export.
HTML entity encoding and decoding run locally in your browser. Source text may stay as a browser draft. If a saved workspace or WebDAV sync is enabled, that text may be saved through that sync. Encode, Decode, and copied text all use the same editor content; this tool does not upload files, create attachments, export files, or save a separate result state.

Usage Advice

Context-aware escaping: choose the escaping rule for the exact output location.
Server-side processing: security-critical output encoding and sanitization should be enforced in your app, not only in a browser helper.
Double-check: verify the escaped result in the target context before using it in production.
Use libraries: production apps should rely on framework escaping and mature sanitizers instead of manual copy-paste processing.
Preview check: test the result in the destination page or test environment because each output context has different rules.

Limitations & Compatibility

Not a sanitizer: this tool does not remove scripts, event attributes, unsafe protocols, style attributes, or unwanted tags.
Incomplete protection: HTML escaping alone cannot prevent every XSS issue. Use framework escaping, sanitization, CSP, and server-side validation where appropriate.
Context dependent: HTML content, attributes, JavaScript, CSS, URLs, JSON, and Markdown use different escaping rules.

Privacy & Security

HTML entity encoding and decoding run locally in your browser. Source text may stay as a browser draft. If a saved workspace or WebDAV sync is enabled, that text may be saved through that sync. Encode, Decode, and copied text all use the same editor content; this tool does not upload files, create attachments, export files, or save a separate result state.

FAQ

6

Continue with these related tools for the next step.

Resources

Guides

About

About Us
Pricing

Legal

Terms
Privacy Policy
Cookie Policy

Preferences

Manage Cookies

All tool processing happens locally in your browser.