CrateX.app

HTML Escape/Unescape

HTML Escape/Unescape supports escaping and unescaping HTML entities for special characters and tag display, making it useful for user input, code examples, and safer content handling.

Input Text

Character

0 / 500,000

Quick Start

Enter content (HTML or already‑escaped text) in the textbox

Choose Encode or Decode

Click the button to convert; the result appears in the same textarea

Click Copy to reuse the result

Common Scenarios

User Comments

Escape user-submitted comments to prevent XSS attacks

Blog Posts

Display HTML code examples in articles

Forum Posts

Safely display user-generated content

Chat Messages

Prevent malicious code spread through chat features

Form Data

Process and display form submission data

Code Display

Show HTML/JavaScript code snippets on web pages

Escaping Rules & Entities

Common characters: < > & " ' (slash / is generally not required; context‑dependent)

Entity Format: Special characters are converted to &entity; or &#code; format, e.g., < becomes &lt; or &#60;

Attribute Escaping: Quotes convert to &quot;, protecting HTML attribute values

Script Protection: <script> tags automatically escaped to prevent JavaScript injection

Write <div> as <div> to avoid being parsed by the browser

Usage Advice

Context-aware Escaping: Choose appropriate escaping strategy based on output location

Server-side Processing: Critical security escaping should be done server-side

Double Check: Verify output after escaping to ensure nothing is missed

Use Libraries: Production environments should use mature escaping libraries instead of manual processing

Preview Check: Preview actual display in browser console after escaping

Limitations & Compatibility

Not a sanitizer: does not remove scripts/events/unsafe protocols; use with content sanitization

Incomplete Protection: Escaping alone cannot prevent all XSS, combine with other security measures

Context Dependent: Different locations require different escaping strategies (HTML content, attributes, JavaScript, CSS)

To keep the page responsive, very large text may be processed more simply. Consider splitting

Privacy & Security

All processing happens locally in your browser. You can replace, clear, and re-run the current content at any time.

FAQ

Continue with these related tools for the next step.

HTML Escape/Unescape

Quick Start

Common Scenarios

User Comments

Blog Posts

Forum Posts

Chat Messages

Form Data

Code Display

Escaping Rules & Entities

Usage Advice

Limitations & Compatibility

Privacy & Security

FAQ

What is an XSS attack?

When is HTML escaping needed?

What's the difference between &lt; and &#60;?

Does escaping prevent all JavaScript injection?

Why do I sometimes see &amp;lt; double escaping?

How to allow some safe HTML tags?

Quick Start

Common Scenarios

User Comments

Blog Posts

Forum Posts

Chat Messages

Form Data

Code Display

Escaping Rules & Entities

Usage Advice

Limitations & Compatibility

Privacy & Security

FAQ

What is an XSS attack?

When is HTML escaping needed?

What's the difference between &amp;lt; and &amp;#60;?

Does escaping prevent all JavaScript injection?

Why do I sometimes see &amp;amp;lt; double escaping?

How to allow some safe HTML tags?

Related tools

What's the difference between < and <?

Why do I sometimes see &lt; double escaping?