Escape and unescape special characters for JavaScript, JSON, HTML, XML, URL, RegEx, SQL, CSV, Shell, Python, Java, and C#. Free, instant, browser-based.
String Escape / Unescape is a free, browser-based tool
from UseToolSuite's
String & Text Tools collection.
All processing happens locally on your device — your data is never uploaded to any server.
Use the tool below, then scroll down for detailed documentation, frequently asked questions, and related resources.
What is String Escape / Unescape?
String Escape / Unescape is a free online tool that escapes and unescapes special characters in strings for 12 different contexts: JavaScript, JSON, HTML, XML, URL, Regular Expression, SQL, CSV, Shell/Bash, Python, Java, and C#. Escaping converts characters that have special meaning in a given context into their safe, encoded equivalents — and unescaping reverses the process. All processing runs entirely in your browser with no data transmitted to any server.
When to use it?
Use String Escape when you need to safely embed user-provided text in code, queries, or markup: preparing strings for JSON payloads, escaping HTML to prevent XSS vulnerabilities, encoding URL parameters, escaping special regex characters to match literal text, sanitizing SQL string values, properly quoting shell arguments, or preparing CSV fields with embedded commas and quotes. Use Unescape to decode and inspect already-escaped strings — for example, reading URL-encoded query parameters, decoding HTML entities, or converting escaped JSON strings back to readable text.
Common use cases
Frontend developers use String Escape to prepare user input for safe insertion into HTML and JavaScript. Backend developers use it to properly escape SQL values and shell command arguments. API developers use it to encode and decode URL parameters and JSON string values. DevOps engineers use it to escape special characters in shell scripts and configuration files. QA engineers use it to prepare test data containing special characters. Security researchers use it to test and verify proper escaping in applications.
Escaping is always about context
There is no universal “escape this string” — escaping only makes sense relative to where the string is going. The same character is dangerous in one context and harmless in another:
| Context | What needs escaping | Escape form |
|---|
| JSON | " \ newline | \" \\ \n |
| HTML | < > & | < > & |
| URL | reserved + spaces | %20, %26, … |
| RegEx | . * + ? ( ) [ ] … | backslash-prefixed |
| SQL | ' | '' |
| Shell | everything (quote it) | single-quote wrap |
This tool covers 12 contexts in one place so you can see, side by side, how the same input is escaped completely differently for JavaScript versus SQL versus a shell argument — which is the fastest way to build intuition for why context matters.
The double-encoding trap
The most common escaping bug is applying it twice. A value that’s escaped once (& → &) and then escaped again becomes &amp;, which renders literally as & on the page. This happens constantly when manual escaping is layered on top of a framework that already auto-escapes. The rule: escape exactly once, at the boundary where the data enters its target context. If you see &amp; or %2520 in output, you’ve encoded one layer too many — paste it here and unescape once to confirm how many layers are stacked.
Use it to debug, not to secure
Reach for this tool when you need to:
- Prepare test data — craft a payload with exactly the escaping a parser expects.
- Debug a parser error — see whether a stray quote or backslash is breaking your JSON/CSV.
- Compare contexts — understand why a string that’s valid in JavaScript breaks in JSON (JSON allows far fewer escape sequences).
- Reverse an operation — the Swap button feeds output back as input and flips direction, so you can verify a round-trip.
Everything runs in your browser, so even sensitive test strings stay local. Just remember the boundary: this is a learning and debugging instrument; your application’s actual injection defense belongs in parameterized queries and framework-level escaping.
How helpful was this tool?
Click to rate
Awesome! Glad it helped.
We don't have a marketing budget. The best way to support this free tool is by sharing it with other developers!
Help us improve!
Sorry it didn't meet your expectations. We're always looking to make these tools better. What was missing or broken?
Open GitHub Issue