HTML escape
Escape HTML special characters to make text safe for use inside HTML. This is the same operation as HTML encoding, characters like <, >, &, and " are replaced with their entity equivalents so they display correctly in browsers.
How it works
Encoding uses a lookup map to replace characters like <, >, and &with their named HTML entities. Decoding uses the browser's built-in DOMParser to reverse the process. Both run entirely in your browser. No server required.
Processing runs in your browser
All encoding and decoding happens locally in your browser tab. Our servers are not involved at any point.
Related operations
For percent-encoding URL components, try URL encode. To encode binary blobs or images as text, use Base64. For previewing escaped markup, see the Markdown preview.
Frequently asked questions
What is the difference between HTML escaping and HTML encoding?
They are the same operation. Both terms refer to replacing special HTML characters with their entity equivalents to prevent them from being interpreted as markup. 'Escaping' is the term more commonly used in a security context.
When do I need to escape HTML?
Any time you insert dynamic content into an HTML document, from a database, user input, or API response. Modern templating systems and frameworks auto-escape by default, but understanding manual escaping is still important.
Does escaping prevent all XSS attacks?
HTML escaping prevents injection into HTML text contexts. For other contexts (JavaScript, CSS, URLs, HTML attributes without quotes) different escaping rules apply. Always use context-appropriate escaping.