String Escape & Unescape Online
Escape or unescape strings for JavaScript, JSON, HTML, XML, CSV, SQL, Python, and Java. Convert special characters to their safe escape sequences or decode escaped strings back to readable text. Real-time processing, entirely in your browser.
Why Use This Tool
Eight Language Formats
Switch seamlessly between JavaScript, JSON, HTML, XML, CSV, SQL, Python, and Java escape formats. Each format applies the correct escape rules defined by that language's specification. JavaScript strings use backslash sequences such as \n, \t, and \". HTML replaces angle brackets and ampersands with character entity references. SQL doubles single quotes to prevent syntax errors. CSV wraps fields in double quotes and escapes internal quotes by doubling them. Every conversion follows the established standard for that format, so you can trust the output to work correctly when pasted into your source code, database query, or markup document.
Real-Time Conversion
Enable the real-time toggle and see your escaped or unescaped output update instantly as you type. There is no need to click a button after every keystroke. The converter processes input on every change event, providing immediate visual feedback that helps you verify your escape sequences character by character. This is especially useful when constructing complex strings that include multiple special characters, nested quotes, or multi-line content. You can also disable real-time mode and use the manual Escape or Unescape button if you prefer to process large blocks of text in a single operation to avoid unnecessary intermediate updates.
Complete Privacy
All string escaping and unescaping is performed locally inside your web browser using pure JavaScript. No data is transmitted to any server, stored in any database, or logged anywhere. This means you can safely process sensitive strings such as API keys embedded in configuration files, SQL queries containing personal data, HTML templates with user-generated content, and source code with confidential business logic. You can verify the client-side nature of this tool by disconnecting from the internet after the page loads — it continues to work perfectly because every transformation happens in your browser's JavaScript engine.
Injection Prevention
Proper string escaping is the first line of defense against injection attacks. This tool helps you verify that user-supplied strings are correctly escaped before they are inserted into SQL queries, HTML pages, or JavaScript code. By visually inspecting the escaped output, you can confirm that special characters such as single quotes, angle brackets, ampersands, and backslashes are properly neutralized. Use this tool during development to test your escaping logic, during code review to validate string handling, and during debugging to identify escaping issues that could lead to cross-site scripting (XSS) or SQL injection vulnerabilities.
Swap and Iterate
The swap button lets you instantly move the output back into the input field, making it easy to chain multiple escape or unescape operations. This is useful when you need to double-escape a string (for example, escaping a JSON string that will be embedded inside another JSON string), or when you want to verify round-trip fidelity by escaping and then unescaping the same content. The swap feature works in both Escape and Unescape modes and preserves the current format selection, so your workflow stays uninterrupted.
Copy with One Click
Click the Copy Output button or the Copy badge in the output panel to send the result directly to your clipboard, ready to paste into your editor, terminal, or application. The tool uses the modern Clipboard API with a fallback for older browsers, ensuring reliable copying across all platforms and devices. A toast notification confirms that the copy was successful, and the clipboard contents match the output exactly, including all escape sequences, line breaks, and special characters. You can also use the Clear button to reset both fields and start fresh with a new string.
How to Use the String Escape/Unescape
- Choose your mode and format. Click the Escape tab to convert a raw string into its escaped form, or click the Unescape tab to decode an escaped string back to readable text. Select the target language format from the dropdown: JavaScript, JSON, HTML, XML, CSV, SQL, Python, or Java. Each format applies escape rules specific to that language.
- Enter your string. Type or paste the text you want to process into the input textarea. If the real-time toggle is enabled, the output will update automatically with every keystroke. If real-time mode is off, click the Escape or Unescape button to process the input manually. The character and byte counts update in real time to help you track string length.
- Copy or swap the result. Click Copy Output to send the processed string to your clipboard. Use the Swap Input/Output button to move the result back into the input for chained operations such as double-escaping. Click Clear to reset both fields and start a new conversion.
In JSON, you must escape backslashes, double quotes, and control characters (newline, tab, etc.). The minimal set is: \\, \", \n, \t, \r. Unicode characters outside the Basic Latin range can optionally use \uXXXX notation for maximum compatibility.
Forgetting to escape backslashes in Windows file paths. The path C:\new\folder is interpreted as C:[newline]ew[formfeed]older in most languages. Always double the backslashes: C:\\new\\folder, or use forward slashes which work on all platforms.
Practical Applications
Backend Developer
Leo constructs SQL queries in his Python application and needs to properly escape user-supplied string values. He tests escape sequences here before implementing them in parameterized queries, verifying that special characters like apostrophes and backslashes are handled correctly.
API Developer
Yara debugs JSON payloads that contain escaped Unicode characters and nested quoted strings. She unescapes the raw API response to read the actual content, then re-escapes corrected values before sending them back in PATCH requests.
Security Researcher
Marco tests XSS and SQL injection payloads by escaping attack strings in different formats. He verifies that his web application's output encoding correctly neutralizes malicious input across HTML, JavaScript, and SQL contexts.
Understanding String Escaping
String escaping is the process of replacing special characters within a string with designated escape sequences so that the string can be safely included in source code, queries, markup, or data formats without causing syntax errors or security vulnerabilities. Every programming language and data format defines its own set of characters that carry special meaning and therefore need to be escaped when they appear as literal content. Failing to escape these characters can lead to broken code at best and severe security breaches at worst, including cross-site scripting (XSS) attacks in web applications and SQL injection attacks in database-driven systems.
The concept of escaping dates back to the earliest days of computing, when control characters needed to be distinguished from printable text in terminal communication. The backslash character was adopted as the universal escape prefix in languages descended from C, and HTML introduced ampersand-based character entity references to handle reserved markup characters. Today, proper string escaping remains one of the most important practices in software development, forming the foundation of secure data handling, correct serialization, and reliable inter-system communication.
Common Escape Sequences by Language
Different languages handle escaping in different ways. In JavaScript and Java, the backslash serves as the escape character, and common sequences include \n for newline, \t for tab, \\ for a literal backslash, \" for a double quote, and \' for a single quote. JSON follows the same backslash conventions as JavaScript but also requires Unicode code points outside the Basic Latin range to be represented using \uXXXX notation. Python supports the same backslash sequences and adds raw string literals prefixed with r to disable escape processing altogether.
HTML and XML use a fundamentally different escaping mechanism based on character entity references. The ampersand character is escaped as &, the less-than sign as <, the greater-than sign as >, the double quote as ", and the apostrophe as '. Any Unicode character can also be referenced by its numeric code point, such as © for the copyright symbol. These entities prevent the browser from interpreting user-supplied text as HTML tags or attributes, which is essential for preventing XSS attacks in web applications.
SQL escaping focuses primarily on the single quote character, which delimits string literals in most SQL dialects. The standard escaping method is to double the single quote, so the value O'Brien becomes O''Brien in a SQL string. While parameterized queries are the preferred defense against SQL injection, understanding manual escaping is still important for debugging queries, writing migration scripts, and working with legacy systems that do not support prepared statements. CSV escaping wraps field values in double quotes whenever the field contains a comma, a double quote, or a newline character, and any embedded double quotes are doubled.
Why String Escaping Matters for Security
Improper string escaping is the root cause of some of the most common and dangerous security vulnerabilities in software. Cross-site scripting occurs when an attacker injects malicious JavaScript into a web page by exploiting unescaped user input that is rendered as HTML. If a web application displays a username without escaping angle brackets, an attacker can set their username to include a script tag that executes arbitrary code in every visitor's browser. Similarly, SQL injection occurs when unescaped input is concatenated directly into a SQL query string, allowing an attacker to modify the query's logic, extract unauthorized data, or even delete entire tables. Proper escaping transforms potentially dangerous characters into harmless literal text, ensuring that user input is always treated as data rather than executable code.
Beyond security, correct escaping is essential for data integrity. A JSON document that contains unescaped control characters will fail to parse. A CSV file with unescaped commas inside field values will produce the wrong number of columns. An XML document with unescaped ampersands will trigger a well-formedness error. By using this tool to inspect and verify your escape sequences, you can catch these issues before they reach production and cause data corruption, parsing failures, or broken user interfaces.
Questions & Answers
What is string escaping and why do I need it?
String escaping is the practice of converting special characters within a string into alternate representations called escape sequences so that those characters are treated as literal data rather than syntax elements. You need escaping whenever you embed a string inside a context that assigns special meaning to certain characters. For example, a double quote inside a JavaScript string literal would prematurely terminate the string unless it is escaped as \". Similarly, an angle bracket inside HTML content would be interpreted as the start of a tag unless it is escaped as <. Without proper escaping, your code can produce syntax errors, your data formats can become malformed, and your applications can become vulnerable to injection attacks. This tool makes it easy to see exactly how a string should look after escaping for any of eight common formats.
How does escaping prevent cross-site scripting (XSS) attacks?
XSS attacks exploit the failure to escape user-supplied content before inserting it into an HTML page. When a web application renders untrusted input without escaping, an attacker can inject malicious markup such as script elements that execute arbitrary JavaScript in other users' browsers. Escaping prevents this by converting characters that have special meaning in HTML into their entity-encoded equivalents. The less-than sign becomes <, the greater-than sign becomes >, the ampersand becomes &, and quotes become " or '. After escaping, the browser renders these characters as visible text rather than interpreting them as HTML syntax, which completely neutralizes the injected payload. Modern web frameworks typically apply output escaping by default, but developers still need to understand the underlying mechanism to handle edge cases and raw rendering contexts correctly.
What is SQL injection and how does string escaping help prevent it?
SQL injection is an attack technique in which malicious SQL code is inserted into a query through unvalidated user input. If an application constructs SQL queries by concatenating strings directly from user input without escaping, an attacker can insert characters such as single quotes to break out of a string literal and modify the query's behavior. For example, entering ' OR '1'='1 into a login field could bypass authentication if the input is not escaped. Escaping the single quote by doubling it ('') prevents the attacker's input from terminating the SQL string literal. While parameterized queries (also known as prepared statements) are the gold-standard defense against SQL injection, proper string escaping provides an additional layer of safety and is essential when working with dynamic SQL, stored procedures, or legacy systems that do not support parameterized queries.
How does backslash escaping work in JavaScript and JSON?
In JavaScript and JSON, the backslash character (\) serves as the escape prefix. When the parser encounters a backslash, it treats the following character as part of an escape sequence rather than as a literal character. The most common sequences are \n for a newline (line feed), \t for a horizontal tab, \r for a carriage return, \\ for a literal backslash, \" for a double quote inside a double-quoted string, and \' for a single quote inside a single-quoted string. JSON additionally uses \uXXXX notation (where XXXX is a four-digit hexadecimal code point) to represent any Unicode character, and it requires all control characters (code points below U+0020) to be escaped. JavaScript supports the same \uXXXX syntax and also provides \xHH for two-digit hexadecimal escapes and \0 for the null character.
What are Unicode escape sequences and when should I use them?
Unicode escape sequences represent characters using their numeric code points rather than their literal glyphs. In JavaScript and JSON, the syntax is \uXXXX, where XXXX is a four-digit hexadecimal number corresponding to the Unicode code point. For example, \u00A9 represents the copyright symbol and \u2603 represents the snowman character. In Python, the same \uXXXX syntax is used within regular strings, and \UXXXXXXXX (eight hex digits) handles characters outside the Basic Multilingual Plane. Unicode escapes are useful when your source file encoding might not support certain characters, when you need to embed invisible or non-printable characters in a human-readable way, or when a data format specification requires that non-ASCII characters be escaped. JSON, for instance, technically allows non-ASCII characters in strings, but many JSON producers escape them for maximum interoperability with systems that might not handle UTF-8 correctly.
What is the difference between escaping and encoding?
Escaping and encoding are related but distinct concepts. Escaping replaces specific characters that have special meaning in a given context with alternative representations that are safe within that context, such as replacing " with \" in JavaScript or < with < in HTML. The goal of escaping is to preserve the literal meaning of those characters while preventing them from being interpreted as syntax. Encoding, on the other hand, transforms data from one representation to another, typically changing the format of every byte in the input. Base64 encoding, for example, converts binary data into a sequence of ASCII characters so that it can be transmitted through text-only channels. URL encoding (percent-encoding) replaces unsafe characters with percent signs followed by hexadecimal values. The key distinction is that escaping is context-specific and targets only special characters, while encoding is a systematic transformation of the entire data.
How does CSV escaping work?
CSV (Comma-Separated Values) escaping follows the rules defined in RFC 4180. A field value must be enclosed in double quotes if it contains any of three special characters: a comma (the field separator), a double quote, or a newline character (either carriage return or line feed). When a field is quoted, any double quote character within the field is escaped by doubling it — so a single " becomes "". For example, the value She said "hello" becomes "She said ""hello""" in a CSV file. Fields that do not contain any special characters can optionally be left unquoted for brevity. This escaping mechanism ensures that CSV parsers can correctly identify field boundaries regardless of the content within each field. When using this tool, the CSV escape mode automatically wraps the input in double quotes and doubles any internal double quote characters.
Escape Sequences Reference
Escape sequences represent special characters within string literals. While the backslash convention is shared across many languages, subtle differences exist. This cross-language reference table helps you avoid bugs when switching between programming environments.
| Escape | Meaning | JavaScript | Python | Java | C# | Go |
|---|---|---|---|---|---|---|
\\ |
Backslash | Yes | Yes | Yes | Yes | Yes |
\n |
Newline (LF) | Yes | Yes | Yes | Yes | Yes |
\r |
Carriage return (CR) | Yes | Yes | Yes | Yes | Yes |
\t |
Horizontal tab | Yes | Yes | Yes | Yes | Yes |
\" |
Double quote | Yes | Yes | Yes | Yes | Yes |
\' |
Single quote | Yes | Yes | Yes | Yes | Yes |
\0 |
Null character | Yes | Yes | Yes | Yes | Yes |
\b |
Backspace | Yes | Yes | Yes | Yes | Yes |
\f |
Form feed | Yes | Yes | Yes | Yes | No |
\v |
Vertical tab | Yes | Yes | No | Yes | Yes |
\uXXXX |
Unicode (BMP) | Yes | Yes | Yes | Yes | Yes |
\u{XXXXX} |
Unicode (extended) | ES6+ | \U+8 digits | No | No | Yes |
\xXX |
Hex byte | Yes | Yes | No | \xXXXX | Yes |
Language-specific notes: Python offers raw strings (r"...") that disable escape processing, useful for regex patterns and Windows file paths. C# provides verbatim strings (@"...") for the same purpose. Java requires Unicode escapes for non-ASCII characters in source code. Go interprets escapes only in double-quoted strings; backtick-delimited raw strings pass backslashes through literally.