String Escape/Unescape
Escape and unescape strings for JSON, HTML, URL, SQL, Regex, and CSV.
String Escape/Unescape — What It Does
Enter any string and instantly escape or unescape it for your target format. Supports bidirectional conversion across six formats: JSON (string literal escaping), HTML entities, URL percent-encoding, SQL string escaping, Regular Expression metacharacter escaping, and CSV field quoting. Invaluable when embedding user content in code, crafting API payloads, or debugging encoding issues.
Escape Sequences by Format
- JSON —
"→\",\→\\, newline →\n - HTML —
&→&,<→<,"→" - URL — space →
%20,&→%26,=→%3D - SQL —
'→'',\→\\(MySQL) - Regex —
.→\.,[→\[,(→\( - CSV — Values with commas or newlines wrapped in
"...", embedded"doubled to""
Common Escaping Scenarios
- Embedding a user's name containing apostrophes in a JSON API payload
- Encoding query parameters with special characters for a URL
- Displaying user-generated content in HTML without XSS risk
- Using a file path (with backslashes) as a regex pattern in JavaScript
- Building a CSV export where fields may contain commas or line breaks
Security Note
- Always escape at output, not input — Escape context-specifically when inserting into HTML, SQL, URLs, or JS — not when storing.
- SQL escaping is not a security substitute — Use parameterized queries/prepared statements instead of escaping strings for SQL injection prevention.
- HTML context matters — Different HTML contexts (attribute, text node, script, style) require different escaping rules.
Frequently Asked Questions
- What characters need to be escaped in JSON strings?
- In JSON, you must escape: double quotes ("), backslash (\\), and control characters (\n for newline, \t for tab, \r for carriage return, \b for backspace, \f for form feed). Forward slashes (/) are optionally escapable. Unicode characters can be escaped as \uXXXX.
- What is URL encoding and when should I use it?
- URL encoding (percent-encoding) replaces unsafe characters with %XX where XX is the hex byte value. Spaces become %20 (or + in query strings), & becomes %26, = becomes %3D. Use encodeURIComponent() in JavaScript to encode individual query parameter values; use encodeURI() for full URLs.
- What is the difference between HTML entity encoding and URL encoding?
- HTML encoding converts characters that have meaning in HTML markup: & → &, < → <, > → >, " → ", ' → '. URL encoding converts characters unsafe in URLs using %HH notation. Always HTML-encode user content before inserting into HTML to prevent XSS attacks.
- How do I escape a string for use in a SQL query?
- SQL escaping replaces single quotes with two single quotes (' → '') and escapes backslashes in MySQL. However, string escaping alone is not sufficient for SQL injection prevention — always use parameterized queries or prepared statements. This tool is useful for understanding what escaping looks like, not as a security solution.
- What characters need to be escaped in regular expressions?
- Regex metacharacters that need escaping with a backslash: . ^ $ * + ? { } [ ] \ | ( ). For example, to match a literal dot in a regex, use \. — otherwise . matches any character. In JavaScript, use RegExp.escape() or a utility like escapeRegExp() to safely escape user input for regex.