How do I escape HTML to display code on a web page?

Convert the markup characters to entities: becomes >, & becomes &, " becomes " and ' becomes '. The browser then renders the literal characters instead of interpreting them as tags. Paste your snippet and click Escape.

Does HTML escaping prevent XSS?

Escaping these characters when you insert untrusted text into HTML is a core defence against cross-site scripting, because it stops user input from becoming live markup or scripts. Context matters though — values placed in attributes, URLs, or inline JavaScript need their own encoding, not just HTML-entity escaping.

Why does this tool use ' instead of ' for the apostrophe?

' is an XML entity that was not part of HTML 4, so older browsers may not recognise it. The numeric reference ' works everywhere, so HTML escaping uses it. For XML output, use the XML Escape tool, which emits '.

Is my HTML uploaded anywhere?

No. All escaping and unescaping happen in your browser with JavaScript. Your markup and content never leave your device.

How do I unescape HTML entities back to characters?

Paste text containing entities such as <div> and click Unescape. The tool turns & < > " and ' back into &, , " and ', recovering the original characters.

HTML Escape - Escape & Unescape HTML Entities Online

HTML Escape & Unescape — entity-encode for safe, XSS-free output

When untrusted text is inserted into an HTML page, the markup characters must be converted to entities so the browser shows them literally instead of running them as tags or scripts. This is the front line against cross-site scripting (XSS), and it's also how you display code samples on a page. This tool escapes and unescapes in your browser — nothing is uploaded.

What gets escaped

Character	Entity
`&`	`&`
`<`	`<`
`>`	`>`
`"`	`"`
`'`	`'` (HTML-safe form)

⚠️ Context matters

Entity escaping secures text placed in element content and quoted attributes. Values going into a URL, an inline <script>, or a CSS context need their own encoding — escaping the five characters is necessary but not sufficient in those positions.

Related tools

String Escaper — all-format hub
HTML Entity Encoder — full named-entity encoder/decoder
XML Escape — the five XML entities
HTML Formatter — beautify HTML

HTML Escape / Unescape

Free HTML escape & unescape tool — entities, XSS-safe output, display code

HTML Escape & Unescape — entity-encode for safe, XSS-free output

What gets escaped

⚠️ Context matters

Related tools