HTML escaping converts special characters like <, >, &, ", and ' into their corresponding HTML entities (<, >, &, ", '). This is essential for preventing XSS (Cross-Site Scripting) attacks, safely displaying HTML code as text on web pages, embedding user-generated content, and ensuring valid HTML when special characters appear in attributes or text nodes.

Escape Mode: Takes raw HTML input and converts all special characters into safe HTML entities. For example, <div> becomes <div>. This is what you need when embedding code snippets in a webpage.

Unescape Mode: Does the reverse — it takes escaped HTML entities and converts them back to actual characters. For example, <div> becomes <div>. This is useful when you've received escaped HTML and need to see or use the original markup.

Our tool escapes all five critical HTML characters:

• & → & (ampersand)
• < → < (less-than / opening tag)
• > → > (greater-than / closing tag)
• " → " (double quote)
• ' → ' (single quote / apostrophe)

Note: The ampersand (&) is always escaped first to prevent double-escaping issues.

Double-escaping occurs when an already-escaped string is escaped again. For example, < becomes < — which renders as < instead of <. To avoid this, always check if your input already contains HTML entities before escaping. Our tool's Unescape mode can help you revert double-escaped content back to its original form. If you're unsure, use the preview panel to verify the rendered output.

Yes, the Live Preview is safely sandboxed using the sandbox="allow-scripts" iframe attribute. This means scripts within your HTML will execute (so you can preview dynamic content), but they cannot access the parent page's DOM, cookies, or sensitive data. The preview is isolated from the rest of the tool. No network requests from the preview can affect the tool page itself.

XSS (Cross-Site Scripting) attacks inject malicious scripts into web pages through unescaped user input. When you escape HTML, characters like < and > become harmless entities that browsers display as text rather than executing as code. For example, an attacker's <script>stealCookies()</script> becomes <script>stealCookies()</script>, which renders as plain text instead of running as JavaScript. Always escape user-generated content before inserting it into HTML.

Absolutely! Escaping is critical for HTML attribute values. If an attribute contains quotes or special characters, escaping prevents the attribute from breaking. For example, title="John & Jane's car" should be escaped as title="John & Jane's car" to ensure valid HTML. Our tool handles both double and single quote escaping, making it perfect for securing attribute values.

Simply click the copy button located at the top-right corner of the output panel. The button will briefly turn green to confirm the content has been copied to your clipboard. You can also manually select the text in the code display area and use Ctrl+C (Cmd+C on Mac). The output is displayed in a monospace font for easy reading.