HTML Escape / Unescape
Escape HTML special characters to entities and unescape HTML entities back to characters.
About HTML Escaping
HTML escaping converts special characters into their HTML entity equivalents so they are displayed as text rather than interpreted as HTML markup. This is a critical security practice — failing to escape user-supplied content before inserting it into HTML is the root cause of Cross-Site Scripting (XSS), one of the most common and dangerous web vulnerabilities.
Characters that must be escaped
<→<— prevents being interpreted as an HTML tag opening>→>— prevents being interpreted as an HTML tag closing&→&— prevents being interpreted as an entity reference"→"— prevents breaking out of quoted HTML attributes'→'— prevents breaking out of single-quoted HTML attributes
XSS and why escaping matters
Cross-Site Scripting (XSS) occurs when attacker-controlled content is inserted into a web page without escaping. For example, if a user submits the name <script>alert('hacked')</script> and it is displayed on a page without escaping, the browser will execute the JavaScript. This can allow attackers to steal session cookies, redirect users to phishing pages, or perform actions on behalf of the victim.
Escaping vs sanitising
Escaping converts all special characters — making them safe to display as text. Sanitising selectively removes or neutralises dangerous HTML while allowing some tags through (e.g. allowing <b> and <i> for user-submitted comments). Use escaping for plain text output; use a dedicated HTML sanitiser library for rich text that should allow some markup.