Is it safe to decode an XSS payload here?

Yes. The decoder only converts character escapes back to their literal characters using string operations and DOM text parsing. It never executes the payload as code, so a malicious script stays inert plain text.

What encodings does it handle?

Named HTML entities (&), decimal and hex numeric entities ( / ), JavaScript \uXXXX, \u{...}, and \xXX escapes, and URL percent-encoding (%20). You can decode all three layers in one pass or peel them individually.

Why decode in one pass?

Real-world obfuscation often nests encodings — a percent-encoded HTML entity, for example. Decoding several layers at once, or repeatedly, reveals the underlying string faster than guessing which single decoder to apply.

How are HTML entities decoded without a browser console?

The tool sets the encoded text as the textContent-equivalent of an in-memory element and reads back its decoded text. This uses the browser's own entity table but never inserts the value into the live page or runs it as HTML.

Does my pasted text leave the browser?

No. All decoding is done locally in JavaScript. Nothing is uploaded, logged, or stored, which is why it is safe for sensitive or malicious sample payloads.

HTML Entity & Unicode Escape Decoder

This decoder reverses the most common text-encoding tricks in one place: HTML entities, JavaScript backslash escapes, and URL percent-encoding. It is built for security work — de-obfuscating a payload without pasting it into a live console where it might execute.

How it works

The tool applies up to three independent decoders, in the order you select:

Percent-encoding — %XX sequences are converted with a decodeURIComponent-style pass (falling back to a manual byte decode if the input is malformed).
JavaScript escapes — \uXXXX, \u{...}, \xXX, and the standard \n \r \t escapes are replaced with the characters they represent.
HTML entities — named entities (&), decimal entities ( ), and hex entities ( ) are decoded using the browser’s own entity table via an in-memory element’s text parsing. The value is read back as text only — it is never inserted into the live document or interpreted as markup.

Because each layer is a pure string transformation, the worst a hostile input can do is produce more text. Nothing is ever evaluated.

Why this matters for security analysis

Attackers layer encodings to slip past naive filters: a script tag might arrive as %3Cscript%3E, as <script>, or as \x3cscript\x3e. Pasting such a string into the browser DevTools console to “see what it is” risks accidental execution. This tool decodes it to inert text so you can read the true payload safely. Run it repeatedly on nested encodings until the output stops changing.

Notes and tips

Toggle layers off to isolate a single encoding when you want to understand exactly how a string was obfuscated.
Non-printing and control characters in the output are shown with a visible marker so a hidden ‮ (right-to-left override) or null byte cannot disguise itself.
Decoding is one-directional here; this tool does not re-encode. All work stays in your browser.