Skip to main content

unescape()

unescape(str): string

Unescapes HTML entities to their corresponding characters.

note

Unescapes &, <, >, ", and '.

Parametersโ€‹

str: stringโ€‹

The string to unescape.

Returns: stringโ€‹

The unescaped string.

See Alsoโ€‹

escape

Sinceโ€‹

2.0.0

Performanceโ€‹

O(n) time where n is string length. Single regex pass with object lookup.

Also known asโ€‹

unescape (Lodash, es-toolkit) ยท unescapeHtml (Modern Dash) ยท โŒ (Remeda, Radashi, Ramda, Effect, Antfu)

Exampleโ€‹

unescape('&lt;div&gt;');           // => '<div>'
unescape('a &amp; b');             // => 'a & b'
unescape('&quot;hello&quot;');     // => '"hello"'
unescape('&#39;quoted&#39;');      // => "'quoted'"

// Roundtrip with escape
const original = '<script>alert("XSS")</script>';
unescape(escape(original)) === original; // => true

How it works?โ€‹

Converts HTML entities back to their corresponding characters. Inverse of escape.

Entity Mappingโ€‹

EntityCharacter
&amp;&
&lt;<
&gt;>
&quot;"
&#39;'

Use Caseโ€‹

Use Casesโ€‹

Decode API responses for display ๐Ÿ“Œโ€‹

Convert HTML entities from API content back to readable characters. Essential when displaying user-generated content stored with HTML encoding.

unescape("Tom &amp; Jerry");
// => "Tom & Jerry"

Process CMS content for rendering ๐Ÿ“Œโ€‹

Restore original characters from CMS or WYSIWYG editor output. Critical for headless CMS integrations where content comes pre-escaped.

unescape("&lt;p&gt;Welcome!&lt;/p&gt;");
// => "<p>Welcome!</p>"

Roundtrip with escape for data integrityโ€‹

Verify data integrity by ensuring escape/unescape roundtrips preserve content.

const original = '<script>alert("XSS")</script>';
unescape(escape(original)) === original; // => true