UD5 Toolkit
String to Escaped HTML - Online Protect Against XSS
Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.
HTML Escape/Unescape - Online Encode Special Characters
HTML Escape / Unescape
Encode special characters to HTML entities or decode them back — fast, free & online
0 chars
0 chars
Plain Text / Input
Escape
Unescape
Copy Swap
Copy Swap
Escaped HTML / Output
Common HTML Entities Reference
| Character | Description | Named Entity | Numeric Entity |
|---|---|---|---|
| & | Ampersand | & | & |
| < | Less-than | < | < |
| > | Greater-than | > | > |
| " | Double quote | " | " |
| ' | Single quote | ' | ' |
| © | Copyright | © | © |
| ® | Registered | ® | ® |
| ™ | Trademark | ™ | ™ |
| € | Euro sign | € | € |
| — | Em dash | — | — |
| Non-breaking space | |   |
Frequently Asked Questions
What is HTML escaping?
HTML escaping (also called HTML encoding) is the process of converting special characters — such as <, >, &, ", and ' — into their corresponding HTML entity representations. This prevents browsers from interpreting them as actual HTML markup, ensuring code snippets display correctly on web pages and protecting against cross-site scripting (XSS) vulnerabilities.
When should I use HTML escape?
Use HTML escaping whenever you display user-generated content, embed code examples in a webpage, write HTML tutorials or documentation, send HTML emails, or work with templating engines. It's essential for safely rendering text that might contain characters with special meaning in HTML.
Which characters need to be escaped in HTML?
The five characters that should always be escaped are: & (ampersand → &), < (less-than → <), > (greater-than → >), " (double quote → "), and ' (single quote → ' or '). Failing to escape these can break your HTML layout or introduce security risks.
What's the difference between named and numeric HTML entities?
Named entities use readable names (e.g., < for <), making them easy to remember and write. Numeric entities use decimal or hexadecimal code points (e.g., < or < for <). Both are equally valid in HTML5, though named entities are generally preferred for readability when available.
Is HTML escaping enough to prevent XSS attacks?
HTML escaping is a critical layer of defense against XSS, but it's not sufficient on its own. You should also use Content Security Policy (CSP) headers, validate and sanitize all user inputs, escape output based on context (HTML body, attributes, JavaScript, CSS, or URLs), and keep frameworks and libraries up to date. Defense in depth is essential for robust security.
Can this tool handle large blocks of text?
Yes! Our tool processes text efficiently using browser-native DOM parsing and string replacement. It handles thousands of characters instantly. For extremely large inputs (100,000+ characters), you may want to disable real-time mode for smoother performance.
What does the "Unescape" mode do?
Unescape (or HTML decoding) reverses the escaping process — it converts HTML entities like <, ", © back into their original characters (<, ", ©). This is useful when you receive escaped HTML content and need to read or edit the original text.
Copied to clipboard!
Skip Link Validator - Online See Bypass Blocks
Check if your site has a visible and functional skip navigation link. Key for keyboard‑only users.
Unicode Property Regex Tester - Online \p{Script=Greek}
Test regular expressions with Unicode property escapes like \p{Emoji}. See matches live. Modern regex power.
Spell with Military Alphabet - Online NATO Encoder
Enter any phrase and see it spelled letter by letter using the NATO phonetic alphabet. Copy ready for radio.
Constraint Validation API Tester - Online Form Debug
Test required, pattern, minlength etc. See validity states and custom error messages. Learn browser‑native validation.
Virtual Pet Rock - Online Minimal No‑Care Companion
Adopt a virtual pet rock. It sits there. Sometimes you can polish it or give it a name. The low‑maintenance pet you always wanted.
Photo Montage (Ken Burns) - Online Animated Effect
Create a slow, zooming and panning photo montage (Ken Burns effect) from your images. Export as WebM video. Canvas.
Base58 Encoder & Decoder - Online Bitcoin-Style Address Tool
Encode or decode data to/from Base58 (Bitcoin alphabet). Useful for cryptocurrency address generation testing. Fully local, no data sent.
URL Component Encoder/Decoder - Online encodeURIComponent
Encode or decode a string for use in a URL query parameter. See the raw and encoded versions. Dev tool.
XSS Payload Sandbox - Online Test Escape Characters
Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.
HTML Sanitizer API Demo - Online Safe Set HTML
Use the new Sanitizer API to safely insert raw HTML into the DOM. Blocks malicious tags. Experimental demo.
Trusted Types API Demo - Online Prevent XSS
See how Trusted Types prevents unsafe HTML assignment. Test against injected scripts. Modern security practice.
Content Security Policy Evaluator - Online Hash & Nonce Check
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your site’s defense against XSS. Local.
Geohash Encoder/Decoder - Online Lat/Lon to String
Encode latitude/longitude into a geohash string and decode a geohash back to coordinates with precision info. Local algorithm.
Hashid Encoder/Decoder - Online Short Unique IDs from Numbers
Convert integers into short, unique, YouTube‑style IDs (hashids) and decode them back. Customize salt and minimum length.
File to Base64 Encoder/Decoder - Online Download
Encode any file into a Base64 string that you can copy, or decode a Base64 string back to a downloadable file. Pure frontend.
Text to Emoji Cipher - Online Encode Secret Messages
Convert your text into a string of emojis using a simple substitution cipher. Share secret messages that look fun. Decode them with the same tool. All local.
Text to HTML Safe Converter - Online Escape for Web
Convert plain text into HTML‑safe strings by escaping <, >, &, and quotes. Insert into code safely. Local copy.
Email Obfuscator - Online Protect Address from Bots
Hide your email address from scrapers by encoding it using HTML entities and CSS tricks. Still clickable for real users. Local generator.
HTML Escape/Unescape Live Preview - Online Sandbox
Type raw HTML and see the escaped version, then see how it renders when unescaped. Understand encoding better.
HTML Sanitizer - Online Clean Dangerous Tags & XSS Prevention
Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.
String Obfuscator - Online Text Encoder to Hide Content
Obfuscate strings using simple techniques to prevent casual reading. Useful for hiding spoilers or email addresses from bots. Decode with the same tool.
Image to Base64 Converter - Online Encode Picture to Text
Transform any image into a Base64 data URI for embedding directly into HTML, CSS, or JSON. Drag and drop support. Entirely browser-side conversion.