DevToolsForYou

HTML Escape Tool in Java — Code Examples

HTML Escape Tool in JavaUse the online tool →

HTML escaping converts special characters like <, >, &, and " into their HTML entity equivalents (&lt;, &gt;, &amp;, &quot;) to prevent XSS attacks and ensure correct rendering. Here is how to escape and unescape HTML in each language.

Java's standard library lacks an HTML escaping utility. Use Apache Commons Text (StringEscapeUtils) or Spring's HtmlUtils.

Also in:JavaScript / Node.jsPythonGoPHPRubyRustC# / .NET
Java (Apache Commons Text)
// Maven: org.apache.commons:commons-text:1.11.0
import org.apache.commons.text.StringEscapeUtils;

public class HtmlEscapeExample {
    public static void main(String[] args) {
        String raw = "<script>alert(\"xss\")</script> & \"quotes\"";

        // Escape HTML4 entities
        String escaped = StringEscapeUtils.escapeHtml4(raw);
        System.out.println(escaped);
        // &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt; &amp; &quot;quotes&quot;

        // Unescape
        String unescaped = StringEscapeUtils.unescapeHtml4(escaped);
        System.out.println(unescaped);

        // Spring alternative (no extra dependency if already using Spring)
        // String escaped = org.springframework.web.util.HtmlUtils.htmlEscape(raw);
        // String unescaped = org.springframework.web.util.HtmlUtils.htmlUnescape(escaped);
    }
}
Notes & gotchas
  • escapeHtml4 handles HTML 4 named entities; it escapes <, >, &, ", and ' among others.
  • Spring's HtmlUtils.htmlEscape is a lightweight alternative if you are already using Spring.
  • In Thymeleaf / JSP templates, content is auto-escaped by default — use th:utext only for pre-escaped HTML.
Try it in your browser

Need to html escape/unescape without writing code? The HTML Escape Tool runs entirely in your browser — paste your input and get the result instantly. No signup, no install, no data sent to a server.

Open HTML Escape/Unescape
HTML Escape Tool in other languages

HTML Escape Tool in JavaScript / Node.js

In browsers, create a temporary DOM element to escape HTML reliably. In Node.js, use a library like he or escape manually.

HTML Escape Tool in Python

Python's standard library includes the html module with html.escape and html.unescape. No third-party packages needed.

HTML Escape Tool in Go

Go's html package provides EscapeString and UnescapeString. Both handle the five critical HTML characters.

HTML Escape Tool in PHP

PHP provides htmlspecialchars for escaping the five critical characters and htmlentities for full entity encoding. Always pass ENT_QUOTES.

HTML Escape Tool in Ruby

Ruby's CGI module provides CGI.escapeHTML and CGI.unescapeHTML. Rails adds the h helper and auto-escapes ERB output by default.

HTML Escape Tool in Rust

The html-escape crate provides encode_text and decode_html_entities. For template rendering, askama and minijinja auto-escape by default.

HTML Escape Tool in C# / .NET

C# provides WebUtility.HtmlEncode in System.Net (all .NET targets) and HttpUtility.HtmlEncode in System.Web (ASP.NET only).