HTML Escape / Unescape

Convert special characters like &, <, >, ", and ' into HTML entities (escape), or convert entities back to their original characters (unescape). Useful for XSS prevention and embedding text in HTML.

Common Named HTML Entities

Character Named Entity Numeric Reference Description
& &amp; &#38; Ampersand (symbol for "and")
< &lt; &#60; Less-than sign (same as the opening character of an HTML tag)
> &gt; &#62; Greater-than sign (same as the closing character of an HTML tag)
" &quot; &#34; Double quote (attribute value delimiter)
' &apos; &#39; Single quote (attribute value delimiter)
  &nbsp; &#160; Non-breaking space (a space that prevents line wrapping)
© &copy; &#169; Copyright symbol
® &reg; &#174; Registered trademark symbol
&trade; &#8482; Trademark symbol
&euro; &#8364; Euro sign
¥ &yen; &#165; Yen sign
¢ &cent; &#162; Cent sign

Tips

  • HTML escaping is the foundation of XSS (cross-site scripting) prevention. Always escape user input before embedding it into HTML.
  • & must always be escaped first. If you convert other characters first, the & inside the newly generated &amp; will get double-escaped.
  • When embedding a string inside an attribute value, it's safer to escape both " (double quote) and ' (single quote), not just one of them.
  • This tool can unescape decimal numeric references (&#38;), hexadecimal numeric references (&#x26;), and the major named entities (such as &amp;).
  • Many template engines (Blade, JSX, Vue, etc.) automatically escape HTML when interpolating variables, but if you use a "raw HTML output" syntax like {!! !!} or v-html, you'll need to escape the value yourself.

Frequently Asked Questions

These three characters — &lt;, &gt;, and &amp; — are special because HTML parsers interpret them as part of the syntax itself. If you fail to escape them, the browser may mistake them for the start or end of a tag, which can lead to broken layouts or XSS (injection of malicious scripts).

URL encoding (percent-encoding) converts special characters so they can be safely represented within a URL, while HTML escaping prevents characters from being mistaken for HTML tags inside a document. Since they serve different purposes, if a form value is used both as a URL parameter and displayed in HTML, you may need to apply both conversions.

No. All conversion happens entirely within your browser using JavaScript, and the text you enter is never sent to toolbase.cc's servers.

No. This tool only escapes five characters: &, <, >, ", and '. Non-ASCII characters such as emoji and non-English text display safely as-is in modern UTF-8 environments, so no conversion is needed.
ツールくん

Side Note — The "Character Reference" Mechanism Inherited from SGML

The origin of HTML entities (character references) traces back to SGML (Standard Generalized Markup Language), the predecessor of HTML. SGML, standardized in 1986, already had a "character reference" mechanism for using the tag delimiter character < within body text. HTML inherited this mechanism almost unchanged, and basic named entities such as &lt;, &gt;, and &amp; were already defined in HTML's earliest specifications during the 1990s.

Named entities were originally prized as a way to display special print symbols (such as the copyright symbol &copy;, the registered trademark symbol &reg;, and various Greek letters) in ASCII-only environments, before Unicode became widespread. The HTML5 specification ultimately defines over 2,000 named entities, covering even minor symbols like checkmarks and musical notes.

Today, the spread of UTF-8 encoding has greatly reduced the need for character references to avoid garbled text. However, three characters — <, >, and & — still require escaping for an entirely different reason. They carry special syntactic meaning to HTML parsers (the start of a tag, the end of a tag, and the start of an entity), so failing to escape them can directly lead to broken layouts or XSS vulnerabilities.