HTML Unescape
Decode HTML entities back into their original characters. It runs entirely on your device — nothing is uploaded.
Example
Input
<b>Bold</b> & "ok"
How it works
HTML entities such as <, & and " are converted back to <, & and ".
Good to know
HTML Unescape takes text that contains HTML entities — the encoded forms like <, >, &, " and numeric references such as ' or / — and converts them back into the literal characters they represent (<, >, &, " and so on). It's the inverse of HTML escaping, and it's aimed at developers, content editors and QA testers who keep finding their angle brackets and ampersands "double-encoded" somewhere in a pipeline.
You'll typically reach for it when text has passed through one too many encoding steps: a JSON API that returns &amp;, a database column where a CMS stored already-escaped markup, a log line or scraped page where the real HTML is buried under entities, or an email template that shows raw <b> instead of bold text. Pasting it here gives you the readable, decoded version instantly so you can see what the markup or string actually is.
Read the output as the "rendered" character form. If your input was <b>Bold</b> you'll get back <b>Bold</b> — actual tags, not display text. If something stays encoded after one pass, that's a clue your data was escaped more than once; run it through again to peel off each layer until the entities stop changing.
One caveat: unescaping is purely a display/decoding step, not a safety step. Decoded HTML can contain live tags and scripts, so never take untrusted, unescaped output and inject it straight into a live page or database — that's exactly how cross-site scripting happens. Use this tool to inspect and recover content; if you need to put text back into HTML safely, escape it again first with the companion HTML Escape tool. Everything runs in your browser, so even sensitive snippets stay on your device.
Frequently asked questions
Is my data uploaded anywhere?
No — everything runs in your browser. Your code never leaves your device, so it's safe for private work and runs offline once loaded.
Is this tool free?
Yes, completely free with no sign-up and no limits.
People also ask
What is the difference between HTML escape and HTML unescape?
HTML escape converts special characters like <, > and & into safe entity codes (<, >, &) so they display as text rather than being parsed as markup. HTML unescape does the reverse, turning those entities back into the original literal characters.
Why does my text show &amp; or &lt; instead of normal symbols?
That happens when text was HTML-encoded — often more than once — as it moved through a form, API, database or template. Unescaping decodes those entities back to & and < so the text reads normally again.
What does &#39; or &#x27; mean?
Those are numeric character references for a single quote ('). ' uses the decimal code point and ' uses the hexadecimal one; an unescaper converts both back to the apostrophe character.
How do I fix double-encoded HTML?
Double-encoded HTML has entities nested inside entities, like &amp;lt;. Running the text through an unescaper repeatedly removes one layer per pass until the output stops changing, at which point it is fully decoded.
Does HTML unescaping decode named entities like &nbsp; and &copy;?
Yes. A full HTML unescaper recognizes named entities (such as for a non-breaking space and © for the copyright symbol) as well as numeric ones, converting each to its corresponding character.
Is it safe to unescape HTML from an untrusted source?
Decoding itself is safe to view, but the resulting text may contain active tags or scripts. Inserting unescaped, untrusted content directly into a web page can create cross-site scripting (XSS) risks, so it should be re-escaped before being rendered.
Can I unescape HTML entities in JavaScript?
Yes. A common browser approach is to set a temporary element's innerHTML to the encoded string and read back its textContent, or use a library such as the 'he' package; this tool does the equivalent locally so no code is needed.
Related tools