HTML Escape
Escape HTML special characters so text renders literally instead of as markup. It runs entirely on your device — nothing is uploaded.
Example
Input
<b>Bold</b> & "quoted"
Output
<b>Bold</b> & "quoted"
How it works
Characters like <, >, &, " and ' are replaced with their HTML entities so the text displays as-is.
Good to know
HTML Escape converts the five characters that have special meaning in HTML — the less-than sign, greater-than sign, ampersand, double quote, and single quote — into their named entity equivalents (<, >, &, ", and ' or '). The result is text that a browser will display exactly as written instead of trying to interpret it as tags or attributes. It is built for developers, technical writers, and anyone who needs to show code or markup on a web page without it being rendered.
Reach for it whenever literal angle brackets or ampersands need to survive a trip through HTML: pasting a code snippet into a blog post, putting example markup inside a documentation table, dropping user-supplied text into an HTML email, or hand-building a static page where stray characters would otherwise break the layout. Escaping is also the core defense against stored or reflected cross-site scripting (XSS) — if any value originating from a user ends up inside HTML, escaping it first prevents that value from becoming executable markup.
To read the output, compare it character by character with your input: each special character becomes a short sequence starting with an ampersand and ending in a semicolon, while everything else (letters, digits, spaces, line breaks) passes through untouched. When that output is later placed in an HTML document and viewed in a browser, it will look identical to your original input, because the browser decodes the entities back into the visible characters.
One important caveat: escaping for HTML body content is not the same as escaping for other contexts. A value that is safe inside a paragraph may still be unsafe inside a URL, a JavaScript string, or an unquoted attribute, so do not treat HTML escaping as a universal sanitizer. Also avoid escaping the same text twice — double-escaping turns an ampersand into &amp; and will show the raw entity codes to your readers; if you need to go back, pair this with the HTML Unescape tool instead.
Frequently asked questions
Is my data uploaded anywhere?
No — everything runs in your browser. Your code never leaves your device, so it's safe for private work and runs offline once loaded.
Is this tool free?
Yes, completely free with no sign-up and no limits.
People also ask
What is the difference between HTML escaping and HTML encoding?
In everyday use the terms are interchangeable — both refer to replacing characters like < and & with HTML entities so they are treated as text rather than markup. "Encoding" is sometimes used more broadly to also include numeric character references for non-ASCII characters, but for the special characters this tool handles, escaping and encoding mean the same thing.
Which characters need to be escaped in HTML?
The core characters are the ampersand (&), less-than (<), and greater-than (>) signs, plus the double quote (") and single quote (') when text sits inside an attribute. The ampersand should be escaped first so that the other entities you generate are not themselves altered.
Does HTML escaping prevent XSS attacks?
Escaping user input before placing it in HTML is a key part of preventing cross-site scripting, because it stops injected text from being parsed as executable tags or scripts. However, it is context-dependent and not a complete solution on its own; values used in URLs, JavaScript, or CSS need their own appropriate encoding.
How do I reverse HTML escaping?
You convert the entities back to plain characters using an unescape or decode step, which turns sequences like < back into <. CalcCafe offers a companion HTML Unescape tool for this, and it runs entirely in your browser as well.
Should I escape single quotes and double quotes?
Yes when the text will be placed inside an HTML attribute, because an unescaped quote can close the attribute early and let surrounding content be misread. Inside ordinary body text, quotes are usually safe, but escaping them is harmless and keeps output portable across contexts.
What happens if I escape text that is already escaped?
You get double-escaping: an existing entity like < becomes &lt;, which a browser will display literally as the text "<" rather than as a less-than sign. To avoid this, only escape raw, unescaped text, and unescape once if you suspect a value was already processed.
Do I need to escape characters like accented letters or emoji?
No, this tool only converts the HTML-significant characters; letters, accents, and emoji can be left as-is as long as the page is served with UTF-8 encoding. Numeric character references for those characters are optional and mainly useful for legacy systems with limited character support.
Is escaping handled automatically by web frameworks and template engines?
Most modern templating systems escape interpolated values by default, which is why manual escaping is mainly needed for raw HTML, static files, or output that bypasses the template's auto-escaping. When a framework offers a "raw" or "unsafe" output mode, any user-supplied text passed through it should be escaped first.
Related tools