Free Online Tool

Escape HTML Online

Convert special HTML characters to their safe HTML entity equivalents. Prevent XSS attacks, display HTML code as text, and safely embed user-generated content in web pages.

Buy me a ☕

Paste your HTML here

Characters: 0 | Lines: 0 | Special Chars: 0

Escaped HTML

Characters: 0 | Lines: 0 | HTML Entities: 0

XSS Protection

Prevent cross-site scripting attacks by escaping HTML special characters in user-generated content.

Instant Conversion

Real-time HTML escaping with immediate results as you type. See exactly what gets converted.

Display HTML as Text

Show HTML code snippets on web pages without them being interpreted by the browser.

How to Escape HTML

Quick Steps:

  1. 1Paste your HTML code or text in the left panel
  2. 2See the escaped version instantly on the right
  3. 3Check how many special characters were escaped
  4. 4Copy or download the escaped HTML for use

Characters That Get Escaped:

  • <&lt; (Less than)
  • >&gt; (Greater than)
  • &&amp; (Ampersand)
  • "&quot; (Double quote)
  • '&#39; (Single quote)
  • /&#x2F; (Forward slash)

Before & After Example

Before Original HTML (Unsafe)

<div class="alert"> <p>User said: "Hi & Hello"</p> <script>alert('XSS')</script> </div>

After Escaped HTML (Safe)

&lt;div class=&quot;alert&quot;&gt; &lt;p&gt;User said: &quot;Hi &amp; Hello&quot;&lt;&#x2F;p&gt; &lt;script&gt;alert(&#39;XSS&#39;)&lt;&#x2F;script&gt; &lt;&#x2F;div&gt;

What Happened?

All HTML special characters were converted to their entity equivalents. This means the browser will display the HTML code as text instead of executing it, preventing potential XSS attacks and allowing you to show code examples safely.

When to Escape HTML?

User-Generated Content

Escape HTML in user comments, forum posts, and reviews to prevent XSS attacks and malicious code injection.

Display Code Snippets

Show HTML, XML, or code examples on web pages without the browser interpreting them as actual markup.

Form Data Safety

Sanitize form inputs before displaying or storing them to maintain security and data integrity.

Email Templates

Escape HTML in email content to prevent rendering issues and ensure text displays correctly across email clients.

Security & Best Practices

✅ Always Escape:

User input before displaying on web pages

Content from untrusted sources or APIs

Data that will be inserted into HTML attributes

Code examples you want to display as text

Database content before rendering in browsers

⚠️ Important Notes:

!Escaping is not the same as validation — always validate input too

!Use context-appropriate escaping (HTML, JavaScript, CSS, URL)

!Escape on output, not on input (preserve original data)

!Don't double-escape — check if content is already escaped

!Use server-side escaping for critical security requirements

Common Scenarios

Scenario 1: Displaying User Comments

❌ Dangerous (Unescaped):

<p>userComment</p>

✅ Safe (Escaped):

<p>escapeHtml(userComment)</p>

Scenario 2: Showing Code Examples

What You Want to Show:

<h1>Hello World</h1>

What You Need to Use:

&lt;h1&gt;Hello World&lt;/h1&gt;

Scenario 3: Preventing XSS Attacks

Malicious Input: <script>alert("Hacked!")</script>

After Escaping: &lt;script&gt;alert(&quot;Hacked!&quot;)&lt;/script&gt;

Result: The script is displayed as text and won't execute! ✓

Pro Tips

1

Use Libraries

In production, use trusted libraries like DOMPurify, he, or html-entities for robust escaping

2

Context Matters

Different contexts (HTML, attributes, JavaScript, CSS) require different escaping strategies

3

Server-Side First

Always escape on the server-side for critical security; client-side escaping is a bonus layer

4

Test Thoroughly

Test with common XSS payloads to ensure your escaping implementation is working correctly