String Escape/Unescape
Text ToolsEscape or unescape strings for JSON, XML, HTML, JavaScript, SQL embedding. Free, private — all processing in your browser.
The String Escape/Unescape tool handles the tedious task of escaping special characters for embedding strings inside JSON, XML, HTML, JavaScript, or SQL code. Paste a raw string with any characters (quotes, backslashes, newlines, Unicode) and get the escaped version ready to paste into your target format — or paste an escaped string and get back the raw original. Supports JSON (RFC 8259 escape rules), XML (five predefined entities plus numeric references), HTML (named entities and numeric), JavaScript (string literal escaping with Unicode), SQL (single-quote doubling for MySQL, PostgreSQL, SQLite), CSV (RFC 4180 quoting rules), and Python/Shell escape sequences.
Every language has its own rules for embedding strings in code. Get the rules wrong and you get parse errors, SQL injection vulnerabilities, XSS attacks, or corrupted data. Writing code that includes arbitrary user text requires careful escaping. This tool applies the correct rules for your target format automatically. All conversion is client-side — your strings (which may contain sensitive data like passwords, database values, or user input) stay in your browser.
String Escape/Unescape — key features
Multiple target formats
JSON, XML, HTML, JavaScript, SQL, CSV, Python, Shell — each with correct escape rules.
Bidirectional
Escape raw to escaped, or unescape escaped to raw. Switch with one click.
Special character handling
Quotes, backslashes, newlines, tabs, Unicode characters. All handled per target format rules.
SQL dialect selection
MySQL, PostgreSQL, SQL Server, Oracle, SQLite — subtle differences. Pick the right one.
Unicode handling
Preserve Unicode characters, or convert to escape sequences (useful for ASCII-only contexts).
Copy to clipboard
Escaped strings ready to paste into JSON, HTML, code. One click.
Live conversion
Output updates as you type. Instant feedback.
100% client-side
Your strings processed in your browser. Never uploaded.
How to use the String Escape/Unescape
- 1
Choose target format
JSON, XML, HTML, JavaScript, SQL, CSV. Each has its own escape rules.
- 2
Choose direction
Escape: raw string to escaped for target format. Unescape: escaped string to raw.
- 3
Paste input
Raw text with special characters, or escaped text you want to unescape.
- 4
For SQL: choose dialect
MySQL / PostgreSQL / SQL Server — similar but subtle differences. Match your database.
- 5
Copy result
Escaped string ready to paste into your code or data file. Or unescaped raw text for display.
Common use cases for the String Escape/Unescape
Embedding data in code
- →Include text in JSON: Hard-code string with quotes and newlines into JSON. Escape special characters properly.
- →Include text in JavaScript: Put user-facing strings into JS source code safely.
- →Include text in HTML: Render user content in HTML — escape to prevent XSS and preserve formatting.
- →SQL string literals: Hardcoded strings in SQL scripts — escape quotes. But prefer parameterized queries for user input.
- →Configuration files: Put complex strings into config files (.json, .yaml, .xml).
Debugging
- →Unescape API responses: JSON API returns strings with escape sequences — unescape to read the actual text.
- →Debug HTML source: View source shows entity-escaped tags — unescape to see original markup.
- →Parse SQL error messages: Error messages escape special characters — unescape to read the actual query.
- →Inspect stored data: Database stores escaped strings — unescape to see actual values.
Testing
- →Generate test fixtures: Test data with special characters (quotes, newlines, Unicode). Escape for fixture files.
- →Test XSS prevention: Provide unescaped XSS payloads to verify your app escapes them properly.
- →Test SQL injection handling: Provide inputs with quotes to verify parameterized queries work.
Content management
- →Copy text from one system to another: Copy escaped HTML content, unescape, paste into plain text editor.
- →Sanitize user-generated content: Before displaying, escape HTML-unsafe characters.
- →Prepare text for code: Developers often need to quickly embed text into source code — escape once, done.
String Escape/Unescape — examples
JSON escape
String with quotes and newlines.
She said Hello How are you?
JSON string with quotes and newline escaped
JSON unescape
JSON string back to raw.
Escape sequences like backslash-n and backslash-t
Line 1 Line 2 (indented)
HTML entity escape
Safe HTML display.
<script>alert(1)</script>
<script>alert(1)</script>
HTML unescape
Entities back to characters.
<h1>Title & subtitle</h1>
<h1>Title & subtitle</h1>
JavaScript escape
String for JS source code.
Windows path with backslash
Escaped with double backslash for source code
XML escape
Predefined entities.
<author>Smith & Co</author>
<author>Smith & Co</author>
CSV escape
Quotes and commas handled.
Text with, comma
"Text with, comma"
Unicode escape
Non-ASCII to escape sequences.
Hello world with CJK chars
Hello world with unicode escape sequences
Technical details
Each target format has different escape rules reflecting the formats grammar.
JSON string escaping (RFC 8259):
Required escapes inside JSON strings: double quote, backslash, forward slash (optional), backspace, form feed, newline, carriage return, tab, control characters (as unicode escape).
Example: a string with quotes and newline needs each to be escaped with backslash.
JavaScript string escaping:
Similar to JSON plus more options (single vs double vs backtick quotes, template literals with dollar-brace interpolation needing escape, Unicode with 4-hex or ES6 curly-brace form).
HTML entity escaping:
Essential for preventing XSS. Five main characters and their entities:
| Character | Entity | Numeric |
|---|---|---|
| less-than | < | < |
| greater-than | > | > |
| ampersand | & | & |
| double quote | " | " |
| single quote | ' | ' |
Escape all of these in HTML content. In attributes, quotes MUST be escaped.
XML escaping:
Five predefined entities: < > & " '. Anything else can be numeric.
SQL escaping:
Major databases differ:
- MySQL / PostgreSQL / SQLite: single quotes doubled.
- SQL Server: single quotes doubled.
- Oracle: similar, plus Q-quote syntax for complex strings.
Important note: Escape functions are NOT sufficient to prevent SQL injection. Always use parameterized queries (prepared statements).
CSV escaping (RFC 4180):
- Fields containing commas, quotes, or newlines are wrapped in double quotes.
- Double quotes inside quoted fields are doubled.
Python escaping:
Similar to JSON plus raw strings (r prefix), triple quotes, unicode by name.
Shell escaping:
Complex. Single quotes disable all escaping inside. Double quotes allow variable expansion and command substitution. Backslash escapes outside quotes.
URL escaping (different from string escape):
Percent-encoding for URLs is different. Use our URL Encoder/Decoder for URLs.
Common problems and solutions
⚠SQL escaping is not injection prevention
Escape functions alone are NOT sufficient against SQL injection. Attackers find ways around any escaping. Use parameterized queries (prepared statements) always. Escape tools are for hardcoded strings in code, not user input.
⚠Double-escaping
Escaping already-escaped text makes it worse. Always unescape before re-escaping. Check your data flow to avoid applying escape multiple times.
⚠Context confusion
A string valid in JSON may need re-escaping in HTML. Escape rules are format-specific. Multi-step output (JSON containing HTML) may need nested escaping.
⚠Unicode in non-Unicode contexts
Some systems only accept ASCII. Escape Unicode characters to escape sequences for universal compatibility. But modern systems prefer Unicode directly.
⚠Quote character choice
JavaScript allows double or single quotes. If you pick double quotes, escape internal double quotes; single quotes pass through. Switch quote type if the other has fewer occurrences.
⚠Forgetting SQL dialect differences
MySQL doubles single quotes. PostgreSQL has additional escape syntax. SQL Server and Oracle have their own quirks. Pick the right dialect.
⚠XSS prevention
Escape HTML when displaying user content. Do not just strip tags — use proper escaping (entity for less-than, etc.). Use framework-provided safe rendering (React automatically escapes, Vue too).
⚠Null bytes and control characters
Some formats reject null bytes or certain control characters. JSON rejects control characters except the escaped ones. Check format-specific rules for unusual characters.
String Escape/Unescape — comparisons and alternatives
String escape vs URL encoding: String escape: for embedding text in code (JSON, JS, HTML). URL encoding: for putting text in URLs (percent-encoded). Different syntax, different purposes. See URL Encoder/Decoder for the URL variant.
String escape vs HTML entity encoding: Partially overlap. HTML entity encoding is specifically for HTML context. Broader string escape tools handle many formats.
String escape vs Base64: Base64 encodes binary as ASCII (for different reasons). String escape transforms characters for text-format embedding. Base64 grows data 33%; string escape grows only escaped characters.
JSON escape vs YAML escape: YAML has multiple quoting styles with different escape rules. JSON has one rule set. Our JSON to YAML handles the difference.
Parameterized query vs SQL escape: Parameterized queries separate SQL from data — no escaping needed (database driver handles it). SQL escape is for hardcoded strings in SQL, not for user input. ALWAYS use parameterized queries for user input.
Context-specific escaping: A single string may need different escaping in different contexts. HTML attribute value vs HTML content vs URL parameter all have different rules. Use context-aware sanitization libraries in real code, not manual escape.
Frequently asked questions about the String Escape/Unescape
▶What is string escaping?
String escaping is the process of preparing a string for embedding in a specific format (JSON, XML, HTML, JavaScript, SQL). Special characters (quotes, backslashes, newlines, etc.) that have meaning in the target format are replaced with escape sequences that represent the literal character without triggering the format syntax.
▶Why do I need to escape strings?
If you include a string with special characters in code or data without escaping, you get syntax errors or security vulnerabilities. For example, a JSON value with an unescaped quote will break parsing. Escape prevents the format characters from being interpreted as structure.
▶What is the difference between escape and encode?
Escape adds escape sequences (backslashes) for specific formats — JSON, JavaScript, SQL. Encode is broader — URL encoding (percent encoding), Base64 encoding, etc. They are related but distinct concepts.
▶How do I escape HTML to prevent XSS?
Escape the 5 main characters: less-than, greater-than, ampersand, double quote, single quote. They become named entities. Modern frameworks (React, Vue, Angular) do this automatically for rendered content — do not use innerHTML with untrusted content.
▶Is escaping sufficient for SQL injection prevention?
No. Attackers find ways around any escape function. Always use parameterized queries (prepared statements). The escape tool is for hardcoded strings in SQL scripts, never for user input.
▶What is the difference between JSON escape and JavaScript escape?
JSON is a subset of JavaScript syntax. JSON requires double quotes around strings. JavaScript allows single, double, or backticks. JSON has stricter rules (no trailing commas, no comments). For embedding text in either, this tool handles both.
▶What if my string has Unicode characters?
Most formats (JSON, HTML, JavaScript) support Unicode natively. For ASCII-only contexts, escape Unicode to escape sequences. Tool offers both: preserve Unicode or fully-escape.
▶Is this tool safe for secret strings?
Yes. Escaping happens entirely in your browser. Strings never upload. Safe for passwords, API keys, user data.
▶Why does SQL have different escaping per database?
SQL standards mention string escaping but databases implement differently. MySQL, PostgreSQL, SQL Server, Oracle each have subtle differences. Pick the right dialect in this tool.
▶When should I use raw strings?
When your target language supports them (Python r-prefix, JavaScript String.raw, C# at-quote). Raw strings disable escape processing — convenient for regex, file paths. But data from outside (user input, files) still needs proper escaping.
Additional resources
- RFC 8259 — JSON Spec — JSON string escape rules.
- MDN JavaScript Escape Sequences — JavaScript string literal escape.
- HTML Entities — HTML entity reference.
- OWASP XSS Prevention — Context-aware HTML escaping for XSS prevention.
- String Escaping Guide (Tooleras blog) — Our deep dive on string escaping.
Related tools
All Text ToolsBase64 Encoder/Decoder
Encode and decode Base64 strings, files, and images instantly
Binary to Text Converter
Convert binary code (0s and 1s) to readable text in ASCII or Unicode, with configurable grouping and separator options.
Find and Replace
Find and replace text with regex support, case sensitivity, whole-word matching, and preview of all changes before applying.
Hex to Text Converter
Convert hexadecimal byte sequences to readable ASCII or UTF-8 text with flexible input formatting.
HTML Entity Encoder/Decoder
Encode special characters to HTML entities (&, <, ", ©) or decode entities back to their literal characters.
JSON Escape/Unescape
Escape JSON for embedding in code or unescape JSON strings back to readable format
Learn more
Explore more tools
200+ free tools that run in your browser.
Browse all tools →