String Escape & Unescape - Multi-Format Escaper Online
Escape and unescape strings for JSON, HTML, URL, JavaScript, SQL, XML, CSV, and RegEx formats. Convert special characters instantly — 100% client-side, no data sent to server.
Frequently Asked Questions
What is string escaping?
String escaping is the process of converting special characters in a string into safe representations so they can be used within a specific context (such as JSON, HTML, SQL, or a URL) without breaking the syntax. For example, a double quote inside a JSON string must be escaped as \" so the JSON parser does not interpret it as the end of the string.
How do I use the String Escape/Unescape tool?
Select your target format from the tabs (JSON, HTML, URL, JavaScript, SQL, XML, CSV, or RegEx), choose whether you want to Escape or Unescape using the mode toggle, then enter or paste your text in the input field. The result appears instantly in the output field. Click the copy button to copy the result.
Is my data secure when using this tool?
Yes. This tool processes all data 100% client-side in your browser using JavaScript. Your text is never sent to any server. You can verify this by disconnecting from the internet after loading the page — the tool will continue to work normally.
What is the difference between JSON escaping and JavaScript escaping?
JSON escaping follows the strict RFC 8259 specification and only uses a limited set of escape sequences. JavaScript escaping is broader because JavaScript strings can be delimited by single quotes, double quotes, or backticks, and supports additional escape sequences like \' and \xHH.
When should I use URL encoding vs HTML escaping?
Use URL encoding (percent-encoding) when you need to include special characters in a URL, such as query parameters. Use HTML escaping when you need to display special characters as visible text on a web page without the browser interpreting them as HTML markup.
How does SQL escaping prevent SQL injection?
By escaping special characters in user-provided strings — particularly single quotes (' becomes '') and backslashes — you prevent attackers from breaking out of string literals. However, parameterized queries (prepared statements) are the recommended best practice for production applications.
Why does my unescaped output look wrong?
Common issues: wrong format selected (a JSON-escaped string won't unescape correctly using HTML), double-escaped input (try running unescape again), mixed escape formats in the same string, or malformed escape sequences. Check the error message for details.
Code Examples
// JSON Escape/Unescape
const escaped = JSON.stringify(text).slice(1, -1);
const unescaped = JSON.parse(`"${escaped}"`);
// HTML Escape
const entities = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' };
const escapeHtml = text => text.replace(/[&<>"']/g, c => entities[c]);
// URL Encode/Decode
const encoded = encodeURIComponent('hello world'); // hello%20world
const decoded = decodeURIComponent('hello%20world'); // hello world
// SQL Escape
const escapeSql = text => text.replace(/'/g, "''");
console.log(escapeSql("O'Brien")); // O''Brien
// RegEx Escape
const escapeRegex = text => text.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
console.log(escapeRegex('file.txt')); // file\.txt