Herramientas HTML
HTML escape
Try it
Escape &, <, >, quotes for safe embedding in HTML.
Loading…
Guide
How to use this tool, examples, and related tips.
How to Use the HTML Escape Tool
Paste your raw string into the input field.
The tool escapes &, <, >, ", and ' by replacing them with their HTML entity equivalents.
Copy the escaped string and insert it into your HTML document.
What Is HTML Escaping?
HTML escaping is the process of replacing characters that carry structural meaning in HTML with their entity reference equivalents so they are treated as literal text content rather than markup. It is functionally identical to HTML encoding — the terms are interchangeable. The order of substitution matters: & must always be escaped first to avoid double-escaping. Unescaped reserved characters in HTML content can break page rendering, corrupt document structure, or — if the content is attacker-controlled — create a cross-site scripting (XSS) vulnerability.
When to Use This Tool
Inserting dynamic content into HTML — Escape any variable content before placing it in an HTML template, regardless of its source.
Displaying code in web pages — Escape source code before wrapping it in <pre><code> blocks so angle brackets and ampersands render correctly.
Preventing XSS in output — Escaping untrusted input at the point of HTML output is the foundational defense against reflected and stored XSS.
Preparing strings for HTML attributes — Escape values being inserted into tag attributes, especially href, value, title, and alt.
Related Tools
- HTML unescape
- HTML encoder
- HTML validator
- XML escape
- JavaScript escape
FAQ
Answers about this tool and how your data is handled.
What is the difference between HTML escape and HTML encode?
They are the same operation. Both replace &, <, >, ", and ' with HTML entity references. The tools may be presented separately for discoverability but produce identical output.
Why must & be escaped before other characters?
If you escape < first (producing <), then escape &, you'd incorrectly double-escape the ampersand in < to &lt;. Always escape & first — or use a tool that handles the order correctly.
Does this tool send my data to a server?
No. It runs entirely in your browser. Nothing is uploaded.
Is this sufficient to prevent all XSS attacks?
For HTML text node and attribute value contexts, yes. XSS prevention in JavaScript, URL, and CSS contexts requires different escaping rules. Use a security-focused templating engine for production applications.
Can I use this for XML content too?
The five characters handled here are valid for both HTML and XML contexts. For XML-specific escaping, use the XML escape tool.
Ferramentas relacionadas
Primeiro a mesma categoria, depois outras utilidades.
- HTML decoderDecode HTML entities back to characters.Herramientas HTML
- HTML encoderEncode text to numeric / named HTML entities.Herramientas HTML
- HTML formatterPretty-print HTML with js-beautify for readability.Herramientas HTML
- HTML minifierRemove extra whitespace and shrink HTML for production.Herramientas HTML
- HTML stripperRemove tags and keep text (best-effort).Herramientas HTML
- HTML unescapeUnescape common HTML entities.Herramientas HTML