XML Unescape
Decode XML entities back to their original characters. It runs entirely on your device — nothing is uploaded.
Example
How it works
Entities such as <, > and & are converted back to <, > and &.
Good to know
XML Unescape takes text containing XML character entities and converts them back into the literal characters they represent, so < becomes <, > becomes >, & becomes &, and the quote entities " and ' become " and '. It's aimed at developers, integrators, and support staff who pull data out of XML documents, SOAP responses, RSS feeds, or config files and need to recover the human-readable original text. Everything happens in your browser, which makes it safe for pasting snippets from internal systems.
You'll typically reach for this when a value looks "double-encoded" or full of ampersand sequences — for example, a log entry, an API payload, or a CDATA-adjacent field that shows <tag> instead of the markup you expected. Unescaping reveals what the data actually contains so you can read it, copy it into another document, or debug why an entity ended up in the stream in the first place.
When reading the result, remember that unescaping only reverses the five standard predefined XML entities plus numeric character references (such as © or —); it does not parse or validate the surrounding markup. The output is plain text, so if the original was a fragment of XML it will once again contain raw angle brackets and may no longer be safe to drop directly into an HTML page or another XML document without re-escaping.
- Unescape once per layer of encoding — if a string was escaped twice, run it through again to fully decode it.
One practical caveat: this is the inverse of XML escaping, not HTML decoding. Named HTML entities like or © are not part of the XML standard, so a strict XML unescaper may leave them untouched. If you need those, decode the numeric form or use an HTML-specific tool, and use the companion XML Escape tool when you need to go the other direction.
Frequently asked questions
Is my data uploaded anywhere?
No — everything runs in your browser. Your code never leaves your device, so it's safe for private work and runs offline once loaded.
Is this tool free?
Yes, completely free with no sign-up and no limits.
People also ask
What is the difference between XML unescape and XML escape?
Escaping replaces special characters like <, > and & with safe entities (<, >, &) so they don't break the markup, while unescaping reverses that process to recover the original characters. This tool unescapes; use the XML Escape tool to go the other way.
What are the five predefined XML entities?
XML defines five built-in character entities: < for <, > for >, & for &, " for the double quote, and ' for the apostrophe. Unescaping converts each of these back to its literal character.
Does this tool decode numeric character references like ©?
Yes, a proper XML unescaper resolves numeric references in both decimal form (such as ©) and hexadecimal form (such as ©) to their corresponding Unicode characters, in addition to the five named entities.
Why does my text still show or © after unescaping?
Those are HTML named entities, not XML ones. XML only defines five named entities, so a strict XML tool leaves other HTML names as-is; you would need the numeric reference or an HTML decoder to convert them.
Is it safe to paste XML output back into a webpage after unescaping?
Not necessarily. Unescaping produces raw characters including < and &, which can break markup or introduce injection risks if inserted directly into HTML or XML, so re-escape the text for the target context before reusing it.
What does double-escaped XML mean and how do I fix it?
Double-escaped text is when an already-escaped string was escaped again, so you see sequences like &lt; instead of <. Running the unescape once turns &lt; into <, and running it a second time produces the original < character.
Can I unescape an entire XML file at once?
You can paste large blocks of text and the tool will convert every recognized entity it finds, but it treats the input as plain text rather than parsing the document, so it won't validate structure or report malformed markup.
Related tools