Escape and unescape special characters for JavaScript, JSON, HTML, XML, URL, RegEx, SQL, CSV, Shell, Python, Java, and C#. Free, instant, browser-based.
| Character | JS / JSON | HTML | URL | SQL |
|---|---|---|---|---|
| " | \" | " | %22 | N/A |
| ' | \' | ' | %27 | '' |
| < | N/A | < | %3C | N/A |
| & | N/A | & | %26 | N/A |
| \n | \\n | N/A | %0A | N/A |
| \\ | \\\\ | N/A | %5C | \\\\ |
String Escape / Unescape is a free online tool that escapes and unescapes special characters in strings for 12 different contexts: JavaScript, JSON, HTML, XML, URL, Regular Expression, SQL, CSV, Shell/Bash, Python, Java, and C#. Escaping converts characters that have special meaning in a given context into their safe, encoded equivalents — and unescaping reverses the process. All processing runs entirely in your browser with no data transmitted to any server.
Use String Escape when you need to safely embed user-provided text in code, queries, or markup: preparing strings for JSON payloads, escaping HTML to prevent XSS vulnerabilities, encoding URL parameters, escaping special regex characters to match literal text, sanitizing SQL string values, properly quoting shell arguments, or preparing CSV fields with embedded commas and quotes. Use Unescape to decode and inspect already-escaped strings — for example, reading URL-encoded query parameters, decoding HTML entities, or converting escaped JSON strings back to readable text.
Frontend developers use String Escape to prepare user input for safe insertion into HTML and JavaScript. Backend developers use it to properly escape SQL values and shell command arguments. API developers use it to encode and decode URL parameters and JSON string values. DevOps engineers use it to escape special characters in shell scripts and configuration files. QA engineers use it to prepare test data containing special characters. Security researchers use it to test and verify proper escaping in applications.
Essential terms and definitions related to String Escape / Unescape.
A combination of characters that represents a special character in a string literal. Common escape sequences include \n (newline), \t (tab), \\ (literal backslash), and \" (literal double quote). The backslash character acts as the escape character in most programming languages, signaling that the following character should be interpreted differently from its literal meaning.
A mechanism for encoding special characters in URLs by replacing them with a percent sign (%) followed by two hexadecimal digits representing the character's ASCII value. For example, a space becomes %20, an ampersand becomes %26, and a forward slash becomes %2F. This ensures that reserved URL characters are not misinterpreted as URL structure delimiters.
A string that begins with an ampersand (&) and ends with a semicolon (;) that represents a character in HTML. Named entities include < for <, > for >, & for &, and " for ". Numeric entities like ' use the character's Unicode code point. HTML entities prevent the browser from interpreting text content as HTML markup.
A code injection attack where malicious SQL statements are inserted into application queries through unescaped user input. For example, entering ' OR 1=1 -- into a login field can bypass authentication if the application directly concatenates user input into SQL queries without proper escaping or parameterization. Proper string escaping is one layer of defense, but parameterized queries (prepared statements) are the recommended primary protection.
String escaping replaces characters that have special meaning in a given context with safe encoded equivalents. For example, a double quote inside a JSON string must be escaped as \" because an unescaped quote would terminate the string prematurely. Escaping prevents syntax errors, injection vulnerabilities (XSS, SQL injection), and data corruption. Different contexts (JavaScript, HTML, URLs, SQL, etc.) have different characters that must be escaped and different escape syntaxes.
This tool is a universal escape/unescape utility that supports 12 different contexts in one place. The dedicated URL Encoder and HTML Entity tools focus on a single context with more specialized options. Use this tool when you need to quickly switch between contexts or compare how the same string is escaped differently across languages and formats.
Yes. All escape and unescape operations use JavaScript's native Unicode support. Unicode characters outside the ASCII range are preserved in most contexts. For JSON and JavaScript, characters are escaped using standard \uXXXX notation when necessary.
The tool correctly implements standard escaping rules for each context. However, for security-critical operations (preventing XSS, SQL injection), always use your framework's built-in escaping or parameterized query functions rather than manually escaping strings. This tool is best used for debugging, understanding escape behavior, and preparing test data.
The Swap button copies the output to the input field and toggles the direction (Escape ↔ Unescape). This lets you quickly reverse an operation: escape a string, then swap to verify it unescapes back to the original. It is also useful for chaining operations — escape for one context, then swap and re-escape for a different context.
Common errors developers encounter and how to resolve them.
URL unescape produces garbled characters The input may be double-encoded (percent-encoded twice). Try running unescape twice. Also ensure the original text was encoded as UTF-8 — other character encodings (ISO-8859-1, Windows-1252) may produce incorrect results with the standard decodeURIComponent function used by this tool.
JSON unescape throws an error The input may contain invalid JSON escape sequences. JSON only supports a limited set of escape sequences: \", \\, \/, \b, \f, \n, \r, \t, and \uXXXX. Other backslash sequences (like \a or \x41) are not valid in JSON and will cause an error. Use the JavaScript context instead, which supports a broader set of escape sequences.
Shell escape adds unexpected quotes Shell escaping wraps the entire string in single quotes and escapes any embedded single quotes. This is the safest way to pass arbitrary text as a single shell argument. If you need a different quoting style (double quotes or backslash escaping), adjust the output manually for your specific shell and use case.