JWT Decoder / Encoder
Decode payloads, verify signatures, test secrets, and generate JWT tokens.
HTML Escape & Unescape
Escape or decode HTML entities instantly
Keep your HTML safe by escaping user input before rendering, or decode strings imported from legacy templates without a compiler.
Use numeric entities (
< instead of <)Why Escape HTML?
Escaping HTML entities prevents injected tags or attributes from breaking your layout or introducing cross-site scripting (XSS) vulnerabilities. Every time your application renders user-generated content -- comments, form inputs, chat messages -- the raw text should be escaped before it reaches the DOM. Characters like <, >, &, and " are replaced with their entity equivalents so the browser treats them as display text rather than markup. This single step eliminates an entire class of security issues and is considered a baseline best practice in web development.
Named vs. Numeric Entities
HTML supports two entity styles. Named entities such as < are human-readable and widely recognized. Numeric entities such as < use the character's Unicode code point and work in every XML-compatible parser, making them the safer choice when output will be consumed by strict XML tools, RSS feeds, or XHTML documents. Toggle the "Use numeric entities" switch above to choose the format that fits your workflow.
When to Unescape
Unescaping converts entity references back to their original characters. This is useful when migrating content between systems, debugging double-encoded strings, or previewing how a stored value will actually render in the browser. Paste the escaped markup into the input field, click "Unescape," and the tool will decode all recognized entities in a single pass.
Common Use Cases
- Template previews: Decode legacy CMS content to verify what users will see on the front end.
- API payloads: Escape HTML in JSON string values before sending them to a rendering service.
- Email templates: Ensure special characters display correctly across email clients that interpret raw HTML.
- Documentation: Show code snippets in HTML pages without the browser interpreting the tags.
FAQs
Which characters must be escaped in HTML?
The essential characters to escape are: < (<), > (>), & (&), " ("), and ' (' or '). These characters have special meaning in HTML and must be escaped to display literally.
What is the difference between named and numeric HTML entities?
Named entities use mnemonics like < and &. Numeric entities use code points like < (decimal) or < (hex). Named entities are more readable; numeric entities work for any Unicode character.
How does HTML escaping prevent XSS attacks?
Cross-site scripting (XSS) occurs when untrusted input is rendered as HTML. Escaping converts < to < and > to >, preventing injected script tags from executing. Always escape user input before inserting it into HTML.
What is double encoding in HTML?
Double encoding occurs when already-escaped text is escaped again, turning & into &amp;. This causes entities to display as literal text (e.g. showing "<" instead of "<"). Only escape once.
Should I escape HTML in attribute values?
Yes. Always escape values inside HTML attributes, especially " and &. Use " for double quotes inside double-quoted attributes. This prevents attribute injection attacks.
Is Free HTML Entity Encoder & Decoder Online — Escape & Unescape free to use?
Free HTML Entity Encoder & Decoder Online — Escape & Unescape is completely free and runs in your browser.
Does Free HTML Entity Encoder & Decoder Online — Escape & Unescape send my data to a server?
No. Free HTML Entity Encoder & Decoder Online — Escape & Unescape processes input directly in your browser.
Do I need to create an account to use Free HTML Entity Encoder & Decoder Online — Escape & Unescape?
No account is required to use Free HTML Entity Encoder & Decoder Online — Escape & Unescape.
Privacy-first by design
Tool inputs are processed in your browser. Review the Privacy Policy and Terms for full details.
Related Tools
All ToolsOpen Tool →
Base64 Encoder
Encode and decode Base64 strings instantly.
URL Encoder
Encode or decode URLs safely and instantly.
JSON Formatter
Format, validate, and beautify JSON instantly.