Escape HTML Entities
Escape &, <, >, ", ' to safe HTML entities - minimal, numeric (non-ASCII), or unescape modes. Free, offline, client-side, instant, secure.
Convert the five XSS-relevant characters (& < >
" ') to safe HTML entities so user input can be
rendered inside HTML without becoming markup. Three modes: minimal (the five), numeric
(also encode every non-ASCII), or reverse (unescape).
How to Use Escape HTML Entities
- Pick a mode.
Minimalcovers the five XSS-relevant characters and is what you want 99% of the time.Numericadds&#N;for every non-ASCII character - useful when the consumer can only handle ASCII.Unescapereverses the operation. - Paste your text into the Input box. Output updates live as you type (100 ms debounce).
- Read the stats line - current mode, input → output character counts, and how many entities were emitted (escape mode) or decoded (unescape mode).
- Copy or download. Ctrl/Cmd + Enter copies. Download writes
escaped.txt(orunescaped.txtin unescape mode). - Use in your HTML. Insert the escaped output directly - it now renders as the literal characters instead of as markup. Critical for any place you echo user input back into HTML (templates, error messages, comments).
Frequently Asked Questions
What are HTML entities and why do I need to escape them?
An HTML entity is a character escape: < renders as <, & renders as &. Without escaping, the browser interprets characters like < as the start of a tag, so user input containing <script> becomes an executable script tag – a cross-site scripting (XSS) bug. Escaping makes the input render as literal text.
Which characters does “minimal” mode escape?
Exactly five: & → &, < → <, > → >, " → ", ' → '. That’s the standard OWASP recommendation for HTML body context – covers tag starts, tag ends, attribute value boundaries, and ambiguous-entity ampersands.
When should I use “numeric” mode?
Pick numeric mode when the downstream consumer can only handle ASCII – older email clients, ASCII-only log aggregators, or systems that mangle UTF-8 in transit. It escapes the five XSS characters AND every code point above 127 as &#NNN;. Emoji and astral-plane characters (4-byte UTF-8) are handled correctly: 🎉 becomes 🎉, not two surrogate-pair escapes.
Does “unescape” decode every kind of entity?
It decodes: the named entities & < > " ' ' © ® ™ — – … « »; decimal numeric (&#NNN;); and hex numeric (&#xHHHH;). Unknown named entities (e.g. φ) are left intact – never silently dropped. For the full HTML5 named-entity set (~2200 names), use a dedicated HTML5 decoder.
Is this enough to prevent XSS?
For HTML body context (between tags), yes. For attribute values, also yes if you wrap them in quotes. For URL contexts (href, src), use URL encoding instead – HTML escaping won’t stop javascript: URLs. For inline JavaScript or CSS, neither HTML escape nor URL encode is sufficient – you need context-specific escaping or, better, don’t insert user input into those contexts at all.
Why is single quote escaped as ' instead of '?
' is XML and HTML5 but not HTML4 – older browsers (and some legacy renderers) ignore it. ' is the numeric form and is universally supported. Both decode to the same character, but emitting ' is the cautious default.
Is this the same as URL encoding?
No. HTML encoding uses &NAME; or &#NUMBER;; URL encoding uses %HH per UTF-8 byte. Space becomes   in HTML but %20 in URLs. They solve different problems: HTML escaping prevents markup injection in HTML; URL encoding makes characters safe in URL components.
Is my data secure?
Yes. The page loads three static files (HTML, CSS, JS) and then runs entirely in your browser. Your input never leaves the device – no fetch, no XHR, no analytics, no cookies. You can disconnect from the internet after the page loads and the tool still works.
Is this tool free?
Yes – free, unlimited, no signup, no watermark. Use the output anywhere. Attribution to is appreciated but not required.