Markdown HTML Escape (Strip / Escape Inline HTML)

Markdown allows inline HTML by default — which is great for power users but a security risk if you accept user-supplied markdown (XSS via <script> or onerror handlers). This tool strips or escapes inline HTML before rendering.

How to use the Markdown HTML Escape (Strip / Escape Inline HTML)

Pick mode. Escape preserves tags as visible text. Strip removes them entirely. Both make user-supplied markdown safe to render.

Why inline HTML in Markdown is risky

By design, Markdown lets you drop raw HTML straight into a document, and most renderers pass it through untouched. That is convenient when you write your own docs, but dangerous the moment you render Markdown that someone else supplied: a <script> tag or an onerror handler in the input becomes live code in the page — a cross-site scripting (XSS) hole.

This tool defuses that input two ways. Escape converts the angle brackets to entities so the tags show up as visible text instead of running. Strip removes the tags entirely, leaving only their text content. Either makes user-supplied Markdown safe to render, though for production you should still pass output through a vetted sanitizer as defence in depth.

Common use cases

  • Accepting user Markdown — neutralize embedded HTML before rendering comments or posts.
  • Preventing XSS — remove <script> and event-handler attributes from untrusted input.
  • Showing markup literally — escape tags so a tutorial can display HTML as text.
  • Cleaning pasted content — strip stray tags from Markdown copied out of a web page.
  • Sanitization step — pre-process input as one layer before a full HTML sanitizer.

Frequently asked questions

What is the difference between escape and strip?

Escape converts < and > to entities so the tags appear as literal text and never execute. Strip deletes the tags outright, keeping their inner text. Escape preserves what was written; strip removes it.

Is this enough to stop XSS on its own?

It removes the most obvious vector, but a robust pipeline also runs the rendered HTML through a maintained sanitizer such as DOMPurify and applies a content security policy. Treat this as one layer, not the whole defense.

Does it affect normal Markdown formatting?

No. Markdown syntax like **bold** and `code` is left alone; only raw HTML tags are escaped or removed. The document still renders as Markdown.

Why does Markdown allow raw HTML at all?

The original spec aimed to let authors reach for HTML whenever Markdown lacked a feature. That openness is powerful for trusted authors but is exactly why untrusted input must be escaped or stripped first.
Embed this tool on your site

Free to embed, no attribution required (but appreciated). Paste this where you want the tool to appear: