HTML Escape

Escape and unescape HTML special characters.

Escaping HTML

When displaying user input on a web page, you must escape HTML special characters. Otherwise, a user could inject <script> tags and run malicious JavaScript. This is called XSS (Cross-Site Scripting).

This tool converts < > & " and ' to their entity equivalents. Use it when you need to display code samples, user content, or any text that might contain HTML.

Why It Matters

Without escaping, <script>alert("hacked")</script> in user input would execute as JavaScript. With proper escaping, it displays as harmless text.

Understanding HTML Escaping

HTML escaping converts special characters into safe representations that display as text rather than being interpreted as HTML. The five critical characters are: < (less than),> (greater than), & (ampersand), " (double quote), and ' (single quote). Without escaping, user input like "<script>alert('XSS')</script>" would execute as JavaScript in the viewer's browser.

This is different from URL encoding (which makes text safe for URLs) and HTML entity encoding (which converts all special characters). HTML escaping focuses specifically on the characters that could break HTML structure or enable code injection. Always escape untrusted content before rendering.

Frequently Asked Questions

What's an XSS attack?

Cross-Site Scripting (XSS) occurs when attackers inject malicious scripts into web pages viewed by others. If user input isn't escaped, an attacker could submit JavaScript that steals cookies, session tokens, or performs actions on behalf of the victim. Proper escaping prevents this.

When should I escape vs. when validate/sanitize?

Validate input (check it matches expected format) on input. Sanitize (remove dangerous content) if you need clean data. Escape output when displaying any user-provided content. The common rule: "Validate input, sanitize input, escape output."

Do modern frameworks handle this automatically?

Many frameworks auto-escape output by default (React, Angular, Vue, Blade). However, you must understand when auto-escaping applies'features like dangerouslySetInnerHTML or {!! !!} bypass protection. Always verify and never trust "magic" security.

What's the difference between escape and encode?

Often used interchangeably, but technically: escaping adds characters to neutralize special meaning (backslash before quotes), while encoding transforms characters into different representations (< for <). HTML uses entity encoding, but we commonly say "escape."

Is escaping enough to prevent all attacks?

Escaping prevents XSS in HTML context. But you also need URL encoding for URLs, JavaScript encoding for JS strings, CSS encoding for styles, and SQL parameterization for databases. Each context requires its own protection'there's no single solution.