Skip to main content

unescape()

unescape(str): string

Unescapes HTML entities to their corresponding characters.

note

Unescapes &, <, >, ", and '.

Parameters​

str: string​

The string to unescape.

Returns: string​

The unescaped string.

See Also​

escape

Since​

2.0.0

Performance​

O(n) time where n is string length. Single regex pass with object lookup.

Also known as​

unescape (Lodash, es-toolkit) · unescapeHtml (Modern Dash) · ❌ (Remeda, Radashi, Ramda, Effect, Antfu)

Example​

unescape('&lt;div&gt;');           // => '<div>'
unescape('a &amp; b');             // => 'a & b'
unescape('&quot;hello&quot;');     // => '"hello"'
unescape('&#39;quoted&#39;');      // => "'quoted'"

// Roundtrip with escape
const original = '<script>alert("XSS")</script>';
unescape(escape(original)) === original; // => true

How it works?​

Converts HTML entities back to their corresponding characters. Inverse of escape.

Entity Mapping​

EntityCharacter
&amp;&
&lt;<
&gt;>
&quot;"
&#39;'

Use Case​

Use Cases​

Decode API responses for display πŸ“Œβ€‹

Convert HTML entities from API content back to readable characters. Essential when displaying user-generated content stored with HTML encoding.

unescape("Tom &amp; Jerry");
// => "Tom & Jerry"

Process CMS content for rendering πŸ“Œβ€‹

Restore original characters from CMS or WYSIWYG editor output. Critical for headless CMS integrations where content comes pre-escaped.

unescape("&lt;p&gt;Welcome!&lt;/p&gt;");
// => "<p>Welcome!</p>"

Roundtrip with escape for data integrity​

Verify data integrity by ensuring escape/unescape roundtrips preserve content.

const original = '<script>alert("XSS")</script>';
unescape(escape(original)) === original; // => true