String Escape/Unescape
Escape and unescape strings for JSON, JavaScript, HTML, XML, URL, CSV, SQL, and regex.
Why I Built This String Escape Tool
I can never remember which characters need escaping in which context. Is it \" or "? Does backslash need escaping in regex? What about in JSON inside JavaScript? Instead of googling every time, I built this tool to handle all the common formats.
The ability to switch between formats quickly is what makes this useful for me. When I'm copying text from an error message into a JSON config file, I need JSON escaping. When I'm building a regex pattern from user input, I need regex escaping. Same data, different escaping rules.
What I Use This For
- JSON Configuration - Escaping multi-line strings for JSON files
- HTML Content - Escaping user input before displaying in HTML
- URL Parameters - Encoding special characters for URLs
- Regex Patterns - Escaping literal text for use in regex
- SQL Debugging - Properly escaping quotes in SQL strings
- CSV Export - Escaping fields with commas or quotes
This complements the HTML Encoder for HTML-specific work, and the URL Encoder for URL-specific encoding. When I need to format JSON with proper escaping already applied, I use the JSON Formatter.
Understanding Different Escape Formats
JSON Escaping
JSON requires escaping double quotes, backslashes, and control characters. Newlines become \n, tabs become \t. This is what you need when embedding strings in JSON files or API responses.
JavaScript Escaping
JavaScript strings can use single or double quotes, so both need escaping. JavaScript also supports additional sequences like \0 for null characters. Use this when building strings in JavaScript code.
HTML/XML Escaping
HTML uses entity references: < for <, > for >, & for &. This prevents user input from being interpreted as HTML tags, which is essential for preventing XSS attacks.
URL Encoding
URL encoding replaces unsafe characters with percent-encoded values. Space becomes %20, & becomes %26. Use this for query parameters and URL paths containing special characters.
Regex Escaping
Regex has metacharacters like . * + ? that have special meaning. To match them literally, they need to be escaped with backslash. Use this when building regex patterns from user-provided literal text.
SQL Escaping
SQL strings escape single quotes by doubling them: ' becomes ''. Note that parameterized queries are still the recommended approach for preventing SQL injection - this is for debugging and understanding, not for building production queries.
Common Escape Sequences
Here's a quick reference for the most common escape sequences:
\n- Newline (line feed)\r- Carriage return\t- Tab\\- Backslash\"- Double quote (in JSON/JS)\'- Single quote (in JS)<- Less than (in HTML)>- Greater than (in HTML)%20- Space (in URLs)
Related Articles
Frequently Asked Questions
What is string escaping?
String escaping converts special characters into safe representations. A newline character becomes the two-character sequence \n, a less-than sign becomes < in HTML. This allows special characters to be included in strings without breaking the syntax of the containing format.
When do I need to escape strings?
Anytime you're embedding text in another format: user input in HTML (to prevent XSS), file paths in JSON, search terms in URLs, literal text in regex patterns. If you see unexpected behavior with special characters, escaping is usually the fix.
What's the difference between escape and encode?
The terms are often used interchangeably, but technically escaping adds backslashes or uses entity references, while encoding converts to a different representation like percent-encoding for URLs. Both make special characters safe to include in strings.
Is this safe for security?
This tool demonstrates proper escaping, but for production code always use your framework's built-in functions. For SQL, use parameterized queries, not string escaping. For HTML, use templating engines that auto-escape. This tool is for learning, debugging, and one-off conversions.