UseToolSuite UseToolSuite

String Escape / Unescape

Escape and unescape special characters for JavaScript, JSON, HTML, XML, URL, RegEx, SQL, CSV, Shell, Python, Java, and C#. Free, instant, browser-based.

Last updated

String Escape / Unescape is a free, browser-based tool from UseToolSuite's String & Text Tools collection. All processing happens locally on your device — your data is never uploaded to any server. Use the tool below, then scroll down for detailed documentation, frequently asked questions, and related resources.

Advertisement
Escape Reference Table
Character JS / JSON HTML URL SQL
"\""%22N/A
'\''%27''
<N/A&lt;%3CN/A
&N/A&amp;%26N/A
\n\\nN/A%0AN/A
\\\\\\N/A%5C\\\\

What is String Escape / Unescape?

String Escape / Unescape is a free online tool that escapes and unescapes special characters in strings for 12 different contexts: JavaScript, JSON, HTML, XML, URL, Regular Expression, SQL, CSV, Shell/Bash, Python, Java, and C#. Escaping converts characters that have special meaning in a given context into their safe, encoded equivalents — and unescaping reverses the process. All processing runs entirely in your browser with no data transmitted to any server.

When to use it?

Use String Escape when you need to safely embed user-provided text in code, queries, or markup: preparing strings for JSON payloads, escaping HTML to prevent XSS vulnerabilities, encoding URL parameters, escaping special regex characters to match literal text, sanitizing SQL string values, properly quoting shell arguments, or preparing CSV fields with embedded commas and quotes. Use Unescape to decode and inspect already-escaped strings — for example, reading URL-encoded query parameters, decoding HTML entities, or converting escaped JSON strings back to readable text.

Common use cases

Frontend developers use String Escape to prepare user input for safe insertion into HTML and JavaScript. Backend developers use it to properly escape SQL values and shell command arguments. API developers use it to encode and decode URL parameters and JSON string values. DevOps engineers use it to escape special characters in shell scripts and configuration files. QA engineers use it to prepare test data containing special characters. Security researchers use it to test and verify proper escaping in applications.

Escaping is always about context

There is no universal “escape this string” — escaping only makes sense relative to where the string is going. The same character is dangerous in one context and harmless in another:

ContextWhat needs escapingEscape form
JSON" \ newline\" \\ \n
HTML< > &&lt; &gt; &amp;
URLreserved + spaces%20, %26, …
RegEx. * + ? ( ) [ ]backslash-prefixed
SQL'''
Shelleverything (quote it)single-quote wrap

This tool covers 12 contexts in one place so you can see, side by side, how the same input is escaped completely differently for JavaScript versus SQL versus a shell argument — which is the fastest way to build intuition for why context matters.

The double-encoding trap

The most common escaping bug is applying it twice. A value that’s escaped once (&&amp;) and then escaped again becomes &amp;amp;, which renders literally as &amp; on the page. This happens constantly when manual escaping is layered on top of a framework that already auto-escapes. The rule: escape exactly once, at the boundary where the data enters its target context. If you see &amp;amp; or %2520 in output, you’ve encoded one layer too many — paste it here and unescape once to confirm how many layers are stacked.

Use it to debug, not to secure

Reach for this tool when you need to:

  • Prepare test data — craft a payload with exactly the escaping a parser expects.
  • Debug a parser error — see whether a stray quote or backslash is breaking your JSON/CSV.
  • Compare contexts — understand why a string that’s valid in JavaScript breaks in JSON (JSON allows far fewer escape sequences).
  • Reverse an operation — the Swap button feeds output back as input and flips direction, so you can verify a round-trip.

Everything runs in your browser, so even sensitive test strings stay local. Just remember the boundary: this is a learning and debugging instrument; your application’s actual injection defense belongs in parameterized queries and framework-level escaping.

How helpful was this tool?

Click to rate

Advertisement

Key Concepts

Essential terms and definitions related to String Escape / Unescape.

Escape Sequence

A combination of characters that represents a special character in a string literal. Common escape sequences include \n (newline), \t (tab), \\ (literal backslash), and \" (literal double quote). The backslash character acts as the escape character in most programming languages, signaling that the following character should be interpreted differently from its literal meaning.

Percent-Encoding (URL Encoding)

A mechanism for encoding special characters in URLs by replacing them with a percent sign (%) followed by two hexadecimal digits representing the character's ASCII value. For example, a space becomes %20, an ampersand becomes %26, and a forward slash becomes %2F. This ensures that reserved URL characters are not misinterpreted as URL structure delimiters.

HTML Entity

A string that begins with an ampersand (&) and ends with a semicolon (;) that represents a character in HTML. Named entities include &lt; for <, &gt; for >, &amp; for &, and &quot; for ". Numeric entities like &#39; use the character's Unicode code point. HTML entities prevent the browser from interpreting text content as HTML markup.

SQL Injection

A code injection attack where malicious SQL statements are inserted into application queries through unescaped user input. For example, entering ' OR 1=1 -- into a login field can bypass authentication if the application directly concatenates user input into SQL queries without proper escaping or parameterization. Proper string escaping is one layer of defense, but parameterized queries (prepared statements) are the recommended primary protection.

Frequently Asked Questions

What is string escaping and why is it necessary?

String escaping replaces characters that have special meaning in a given context with safe encoded equivalents. For example, a double quote inside a JSON string must be escaped as \" because an unescaped quote would terminate the string prematurely. Escaping prevents syntax errors, injection vulnerabilities (XSS, SQL injection), and data corruption. Different contexts (JavaScript, HTML, URLs, SQL, etc.) have different characters that must be escaped and different escape syntaxes.

What is the difference between this tool and the URL Encoder/HTML Entity tools?

This tool is a universal escape/unescape utility that supports 12 different contexts in one place. The dedicated URL Encoder and HTML Entity tools focus on a single context with more specialized options. Use this tool when you need to quickly switch between contexts or compare how the same string is escaped differently across languages and formats.

Does this tool handle Unicode characters?

Yes. All escape and unescape operations use JavaScript's native Unicode support. Unicode characters outside the ASCII range are preserved in most contexts. For JSON and JavaScript, characters are escaped using standard \uXXXX notation when necessary.

Is the output safe to use directly in production code?

The tool correctly implements standard escaping rules for each context. However, for security-critical operations (preventing XSS, SQL injection), always use your framework's built-in escaping or parameterized query functions rather than manually escaping strings. This tool is best used for debugging, understanding escape behavior, and preparing test data.

What does the Swap button do?

The Swap button copies the output to the input field and toggles the direction (Escape ↔ Unescape). This lets you quickly reverse an operation: escape a string, then swap to verify it unescapes back to the original. It is also useful for chaining operations — escape for one context, then swap and re-escape for a different context.

Why shouldn't I rely on manual SQL or HTML escaping for security?

Because manual escaping is fragile and easy to get subtly wrong, and a single miss is a vulnerability. For SQL, the correct defense is parameterized queries (prepared statements), which send the query structure and the data separately so user input can never be interpreted as SQL — escaping quotes by hand can't match that guarantee, especially across encodings and edge cases. For HTML/XSS, use your framework's context-aware auto-escaping (React, Vue, and templating engines do this on output). Manual escaping is excellent for debugging, preparing test data, and understanding what's happening — but production security should rest on parameterized queries and framework escaping, not strings you escaped by hand.

How do I handle a string that lives in nested contexts, like JavaScript inside an HTML attribute?

Escape from the inside out, once per layer, in the right order. Consider a value going into an onclick attribute: it lives in a JavaScript string (innermost) that sits inside an HTML attribute (outer). You first apply JavaScript-string escaping, then HTML-attribute escaping on top — and the browser decodes them in reverse when it parses. Getting the order or count wrong causes either broken syntax or, worse, an injection hole. This is exactly why inline event handlers and dynamically-built script are discouraged: nested contexts are error-prone. When you can, avoid the nesting (use addEventListener and data attributes); when you can't, escape each layer deliberately and test the round-trip.

Troubleshooting & Technical Tips

Common errors developers encounter and how to resolve them.

URL unescape produces garbled characters

The input may be double-encoded (percent-encoded twice). Try running unescape twice. Also ensure the original text was encoded as UTF-8 — other character encodings (ISO-8859-1, Windows-1252) may produce incorrect results with the standard decodeURIComponent function used by this tool.

JSON unescape throws an error

The input may contain invalid JSON escape sequences. JSON only supports a limited set of escape sequences: \", \\, \/, \b, \f, \n, \r, \t, and \uXXXX. Other backslash sequences (like \a or \x41) are not valid in JSON and will cause an error. Use the JavaScript context instead, which supports a broader set of escape sequences.

Shell escape adds unexpected quotes

Shell escaping wraps the entire string in single quotes and escapes any embedded single quotes. This is the safest way to pass arbitrary text as a single shell argument. If you need a different quoting style (double quotes or backslash escaping), adjust the output manually for your specific shell and use case.

Advertisement

Related Tools