String Escape / Unescape

Escape or unescape strings for JSON, JavaScript, HTML, URL, CSV, and RegEx contexts — instantly.

Last updated: March 25, 2026

Input

Output

Hello \"World\"\nNew line & <special> chars

Client-Side Processing

Input Data Stays on Device

Instant Local Execution

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is String Escape / Unescape?

String escaping is the process of adding a special prefix character (usually backslash or percent) before characters that have special meaning in a specific context, so that they are treated as literal characters rather than control characters. The escape characters, rules, and which characters need escaping differ completely between contexts: JSON, JavaScript strings, HTML attributes, URL query parameters, CSV cells, and regular expressions each have their own distinct escaping rules.

Choosing the wrong escaping context — or forgetting to escape at all — causes everything from irritating rendering bugs to critical security vulnerabilities (SQL injection, XSS, path traversal). This tool provides side-by-side escaping for all major string contexts, so you can pick the right format whether you're writing an API payload, constructing a query string, embedding text in HTML, or building a regex pattern.

How to Use String Escape / Unescape

Type or paste your raw text string into the input field

Select the escaping context from the tabs: JSON, JavaScript, HTML, URL, CSV, or RegEx

Click "Escape" to convert the raw string to its escaped form

Or paste an escaped string and click "Unescape" to decode it back to the original

Copy the result with the Copy button for use in your code or query

Common Use Cases

JSON-escaping strings before embedding them in JSON payloads (newlines, quotes, backslashes)
URL-encoding query parameter values before appending to an API endpoint URL
Escaping regex metacharacters (. * + ? [ ] { } ( ) | ^ $) when constructing regex from user input
HTML-escaping user input before displaying it in a web page (XSS prevention)
CSV-escaping text fields containing commas or double-quotes before writing to a CSV file
JavaScript string escaping for embedding variables into template literals or string concatenation
Unescaping percent-encoded URLs from logs or error messages to read them clearly
Decoding JSON-escaped strings from API responses to inspect the raw content

Example Input and Output

The same string escaped differently for four different contexts:

Raw string input

She said "It's $10 < tax" & left.

Escaped output per context

JSON:       "She said \"It's $10 < tax\" & left."
JavaScript: 'She said "It\'s $10 < tax" & left.'
HTML:       She said &quot;It&apos;s $10 &lt; tax&quot; &amp; left.
URL:        She%20said%20%22It's%20%2410%20%3C%20tax%22%20%26%20left.
CSV:        "She said ""It's $10 < tax"" & left."
RegEx:      She said "It's $10 < tax" & left.

Privacy First

All escaping and unescaping runs locally in your browser. Your strings — which may contain API keys, passwords, or sensitive data — are never sent to our servers.

Context Matters for Security

Using the wrong escaping context is a security vulnerability. HTML-encoding a value placed into a JavaScript string doesn't prevent JS injection. URL-encoding a value placed in HTML doesn't prevent XSS. Always escape using the rules for the exact output context in which the string will appear.

Language Built-Ins

In production code, use your language's built-in functions rather than manual escaping: JavaScript URL: encodeURIComponent(). JavaScript JSON: JSON.stringify(). Python HTML: html.escape(). Python URL: urllib.parse.quote(). PHP HTML: htmlspecialchars(). PHP URL: urlencode(). Library functions handle edge cases that manual escaping misses.

Frequently Asked Questions

What characters need escaping in JSON strings?

JSON requires escaping: double-quote (\"), backslash (\\), and the control characters: \n (newline), \r (carriage return), \t (tab), \b (backspace), \f (form feed). Unicode characters can be escaped as \uXXXX but don't need to be in UTF-8 JSON. Single quotes don't need escaping in JSON (only double quotes are string delimiters).

What is the difference between URL encoding and HTML encoding?

URL encoding (percent-encoding) makes text safe for URL components — & becomes %26, space becomes %20. It's used for query parameter values: encodeURIComponent() in JavaScript. HTML encoding makes text safe for HTML content — & becomes &. Use URL encoding for URL parameters, HTML encoding for page content. They're completely different contexts with different character sets.

How do I escape a string for use inside a JavaScript template literal (backtick)?

Inside a template literal, you need to escape backticks (\`) and dollar-sign-brace sequences (\${). Single and double quotes don't need escaping inside backtick strings. Example: `Price is \$${amount}` — the first $ is escaped to prevent template substitution, the second starts a real ${amount} expression.

How do I escape a CSV field that contains commas or quotes?

In RFC 4180 CSV: (1) Wrap the field in double quotes: hello, world → "hello, world". (2) Escape any double quotes within the field by doubling them: She said "hi" → "She said ""hi""". Fields with embedded newlines also need to be wrapped in quotes.

Which regex characters need escaping?

The regex metacharacters that must be escaped with a backslash when you want to match them literally are: . * + ? ^ $ { } [ ] | ( ) \. Example: to match a literal period in a version number like "1.0.2", use 1\.0\.2 — without escaping, 1.0.2 matches "1X0Y2" because . matches any character.

Why does JavaScript have both escape() and encodeURIComponent()?

The old escape() function is deprecated — it doesn't encode + and doesn't handle Unicode correctly. Always use encodeURIComponent() for URL query parameter values (encodes everything except A-Z a-z 0-9 - _ . ! ~ * ' ( )). Use encodeURI() for full URL strings (leaves ://? # etc. unencoded). Never use escape().

How This Tool Works

Each escaping mode applies a context-specific transformation: JSON escaping uses JSON.stringify() and extracts the inner content with quote stripping. JavaScript escaping applies backslash rules using regex replacements per the ECMAScript specification. HTML escaping uses the browser's innerHTML/textContent technique (for decoding) and a character map (for encoding). URL escaping uses encodeURIComponent() built-in. CSV escaping wraps in quotes and doubles internal quotes per RFC 4180. RegEx escaping escapes all metacharacters using a standard metacharacter set regex.

Technical Stack

Browser-native JavaScript APIsencodeURIComponent/decodeURIComponentJSON.parse/stringifyinnerHTML/textContent XSS-safe decodingClient-side only

Related Tools

Case Converter

Convert text between uppercase, lowercase, title case, sentence case, camelCase, PascalCase, snake_case, kebab-case, and CONSTANT_CASE instantly.

Lorem Ipsum Generator

Generate placeholder text for your designs and mockups — by paragraph, sentence, or word count, with classic or random variation.

Word Counter

Count words, characters, sentences, paragraphs, and reading time — with keyword density analysis and platform-specific character limit indicators.

Text Diff Checker

Compare two text blocks and see additions, deletions, and changes highlighted line-by-line using the Myers diff algorithm — like Git diff in a browser.

Regex Tester

Test and debug regular expressions with live match highlighting, capture group display, and flag explanations — using JavaScript's native RegExp engine.

HTML Entity Encoder / Decoder

Convert special characters to HTML entities (& → &) and decode them back — for safe, valid HTML.