String Escape & Unescape

What is string escaping?

Every text-based syntax — JSON, SQL, HTML, URLs, regex — has special characters that mean something other than themselves. Putting an unescaped ' in a SQL string can break a query (or open you up to injection). An unescaped < in HTML draws a tag. A literal ? in a URL becomes a query separator. Escaping is the process of converting those characters into a safe form that the parser will read back as the original character. Unescaping is the reverse — turning a JSON or HTML string back into its plain form.

How to use the escape tool

Pick a context matching the syntax you're working with — JavaScript, JSON, SQL, HTML, URL component or regex literal. Choose Escape to convert plain text into safe-for-the-context form, or Unescape to do the reverse. Paste your input. The output updates live, with a character count for sanity. Each context uses the rules of that syntax precisely: JS uses \n, \t, \"; SQL doubles single quotes; HTML uses entities; URL uses percent-encoding.

Picking the right context

If you're going to embed the string inside JavaScript code, use JavaScript. If you're putting it in a JSON value (e.g. a config file or API payload), use JSON — it's stricter than JS. HTML is the right choice for content that will be rendered on a page (also safe for HTML attribute values). URL is for individual query parameter values, not full URLs (which already contain :// and ? as structural characters). Regex escapes a literal string for use inside a regular expression — useful when matching user input verbatim.

Examples by context

Context	Input	Output
JavaScript	`It's "fine"`	`It\'s \"fine\"`
JSON	`line1\nline2`	`line1\\nline2`
SQL	`O'Brien`	`O''Brien`
HTML	`<b> & "x"`	`<b> & "x"`
URL	`a b/c?d=1`	`a%20b%2Fc%3Fd%3D1`
Regex	`3.14 (pi)`	`3\.14 $pi$`

Frequently asked questions

Why are there separate JavaScript and JSON modes?

JSON is a strict subset of JavaScript string syntax — it doesn't allow \', \v, \0, hex escapes (\xHH) or unquoted control characters. JS is more permissive. If you're building a JSON document, use JSON; if you're embedding a string in .js source, use JavaScript. Mismatching them can produce strings that crash a JSON parser.

Should I use this for SQL queries to prevent injection?

No — for actual production queries, use parameterised queries (prepared statements) in your database driver. SQL escaping here is for human-readable conversion (e.g. building a one-off query, transforming a data dump). Single-quote doubling is the SQL standard, but modern apps should pass values as parameters, not concatenate them.

What's the difference between encodeURIComponent and encodeURI?

The URL mode uses component-style encoding, which percent-encodes ?, &, =, / and similar — i.e. it's safe to drop into a query parameter value. Full-URL encoding leaves those characters alone because they have structural meaning. If you're encoding a value that goes after a = in a URL, this mode is what you want.

Does HTML escape produce attribute-safe or content-safe output?

Both. The encoder escapes <, >, &, " and ' — that's a superset of what's strictly required for either context, so the result is safe to drop into element content or any attribute (single- or double-quoted).

What does the regex mode escape?

Every character that has special meaning in a JavaScript regular expression: \, ^, $, ., *, +, ?, (, ), [, ], {, }, |, /, -. The result can be used inside a regex to match the original string literally — handy when you've got user input you want to find verbatim.

Does anything leave my browser?

No. Escape and unescape both run as plain JavaScript in your browser. Safe for credentials, internal queries, secret-bearing strings — nothing is uploaded, logged or stored.

String Escape & Unescape