String Escape / Unescape
Escape and unescape strings for HTML, JSON, JavaScript, SQL, and more
Suggested Next Steps
Related Tools
Base64 Encoder / Decoder
Quickly encode text to Base64 or decode Base64 back to text.
URL Encoder / Decoder
Encode and decode URLs
HTML Entity Encoder / Decoder
Encode special characters to HTML entities or decode them back
Number Base Converter
Convert numbers between binary, octal, decimal and hexadecimal
Timestamp Converter
Convert between Unix timestamps and human-readable dates
ASCII / Unicode Lookup
Search and look up ASCII and Unicode character codes
How to Use
Paste or Type Input
Enter your text, code, or data into the input area.
Choose Options
Select the transformation or format you want to apply.
Copy the Result
Copy the output to your clipboard with one click.
Why Use This Tool
100% Free
No hidden costs, no premium tiers — every feature is free.
No Installation
Runs entirely in your browser. No software to download or install.
Private & Secure
Your data never leaves your device. Nothing is uploaded to any server.
Works on Mobile
Fully responsive — use on your phone, tablet, or desktop.
String Escaping and Unescaping for Multiple Formats
Key Takeaways
- String escaping converts special characters into safe representations for their target format — JSON, XML, HTML, and more each have different rules.
- Improper escaping is a leading cause of injection vulnerabilities, parsing errors, and data corruption in web applications.
- All string processing happens entirely in your browser — your text data is never sent to any server.
Every programming language and data format has characters with special meaning that must be escaped when used as literal text. A backslash in JSON, angle brackets in XML, and quotes in CSV all require different escaping strategies. Understanding escape sequences across formats is essential for building robust applications that handle data safely.
Injection attacks from improper escaping account for over 30% of web application vulnerabilities according to OWASP.
Security Impact
Key Concepts
JSON Escape Sequences
JSON requires escaping backslashes, double quotes, and control characters (\n, \t, \r). Unicode characters can be represented as \uXXXX escape sequences.
XML and HTML Escaping
XML uses entity references (& < > " ') while HTML adds hundreds of named entities. CDATA sections offer an alternative to escaping in XML.
URL Percent-Encoding
URLs encode special characters as %XX hex pairs. This is distinct from other escaping methods and follows RFC 3986 rules for reserved and unreserved characters.
Backslash Escaping in Regex
Regular expressions use backslash to escape metacharacters. When regex is embedded in a JSON string, backslashes must be double-escaped.
Pro Tips
Always use your language's built-in serialization functions (JSON.stringify, encodeURIComponent) rather than manual escaping.
Be aware of double-escaping — when embedding escaped strings inside other escaped formats, each layer adds its own escaping.
Test with edge cases: empty strings, strings containing only special characters, null bytes, and Unicode surrogate pairs.
When debugging, unescape layer by layer — URL decode first, then JSON parse, then examine the raw string.
All string escaping and unescaping is performed entirely in your browser. Your text data, which may contain sensitive content, is never transmitted to any external server.