HTML Entity & Unicode Escape Decoder

Decode HTML entities, \uXXXX escapes, and percent-encoding in a single pass

Decode HTML entities (&, ',  ), JavaScript \uXXXX and \xXX escapes, and URL percent-encoding all at once on pasted text. Security engineers use this to de-obfuscate XSS and injection payloads safely, without running untrusted strings through a live browser console. Everything runs locally. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Is it safe to decode an XSS payload here?

Yes. The decoder only converts character escapes back to their literal characters using string operations and DOM text parsing. It never executes the payload as code, so a malicious script stays inert plain text.

This decoder reverses the most common text-encoding tricks in one place: HTML entities, JavaScript backslash escapes, and URL percent-encoding. It is built for security work — de-obfuscating a payload without pasting it into a live console where it might execute.

How it works

The tool applies up to three independent decoders, in the order you select:

  1. Percent-encoding%XX sequences are converted with a decodeURIComponent-style pass (falling back to a manual byte decode if the input is malformed).
  2. JavaScript escapes\uXXXX, \u{...}, \xXX, and the standard \n \r \t escapes are replaced with the characters they represent.
  3. HTML entities — named entities (&), decimal entities ( ), and hex entities ( ) are decoded using the browser’s own entity table via an in-memory element’s text parsing. The value is read back as text only — it is never inserted into the live document or interpreted as markup.

Because each layer is a pure string transformation, the worst a hostile input can do is produce more text. Nothing is ever evaluated.

Why this matters for security analysis

Attackers layer encodings to slip past naive filters. A single <script> tag might arrive in any of these forms:

%3Cscript%3E          (percent-encoded)
&#x3C;script&#x3E;    (HTML hex entities)
\x3cscript\x3e        (JavaScript hex escapes)
%26%23x3C%3Bscript%26%23x3E%3B   (double-encoded: percent-encoded HTML entity)

Each of these is effectively the same payload, but a simple string search for <script> misses all of them. WAFs and input filters that decode only one layer can be bypassed by layering two.

Pasting such a string into the browser DevTools console to “see what it is” risks accidental execution if the final decoded string is a valid expression and the console evaluates it. This tool decodes to inert text — you see the true payload safely, without any execution path.

Peeling nested encodings

Real-world obfuscation sometimes nests multiple layers. For example, a percent-encoded HTML entity:

%26lt%3B          ->  &lt;   (one percent-decode pass)
                  ->  <      (one HTML entity decode pass)

Run the tool with all layers enabled for a single-pass decode. If the output still looks encoded, run it again — repeat until the output stops changing.

Notes and tips

  • Toggle layers off to isolate a single encoding when you want to understand exactly how a string was obfuscated — this helps map the attacker’s technique.
  • Non-printing and control characters in the output are shown with a visible marker so a hidden U+202E (right-to-left override) or null byte (\x00) cannot disguise itself inside the decoded text.
  • Watch for Unicode homoglyphs in decoded output: characters that look like ASCII letters but have different code points (for example, Cyrillic а vs Latin a). These are used in homograph attacks on domain names and source code.
  • Decoding is one-directional here; this tool does not re-encode. All work stays in your browser and nothing is uploaded or logged.