Advertisement

HTML Escape & Unescape

Convert special characters to their corresponding HTML entities (or vice versa).

Advertisement

HTML Entities

HTML entities are special character sequences used to display reserved HTML characters and Unicode symbols as text content rather than code. They prevent XSS injection and rendering errors.

Essential Escape Characters

When to Escape HTML

Why is HTML escaping important for security?

Unescaped user input in HTML can lead to Cross-Site Scripting (XSS) attacks — where malicious <script> tags injected by a user execute in other users' browsers. Always escape untrusted content before rendering it in HTML, especially in innerHTML or template literals.

What's the difference between named and numeric entities?

Named entities use descriptive names: &amp;, &copy;. Numeric entities use the Unicode code point: decimal (&#38;) or hex (&#x26;). Named entities are more readable; numeric entities work for any character without needing a defined name.

Should I escape inside <script> tags?

No — HTML escaping applies to HTML text content and attribute values, not JavaScript code inside <script> tags. Inside scripts, you would use JavaScript string escaping instead. However, if you're embedding a value from HTML into JS (e.g., via a data attribute), both escaping layers apply.