String Escape / Unescape
Escape and unescape strings for JavaScript, HTML, URL, XML, CSV, SQL, and Shell
Format
Escape backslashes, quotes, and control characters (\n, \t, \uXXXX)
Paste your string above to escape it using the JavaScript / JSON format.
You need to embed a JSON string containing double quotes inside a JavaScript string, then put that inside an HTML attribute, then URL-encode the whole thing for a query parameter. Each layer requires different escaping — \" for JSON, " for HTML, %22 for URL — and nesting them wrong produces silent data corruption.
Why This Tool (Not the URL Encoder or HTML Entity Encoder)
PureDevTools has a URL Encoder for percent-encoding and an HTML Entity Encoder for HTML entities. This tool supports seven escape formats in one interface — JavaScript/JSON, HTML entities, URL percent-encoding, XML, CSV, SQL, and Shell/Bash. Escape and unescape in any format, switch between them instantly. Everything runs in your browser.
What Is String Escaping?
String escaping is the process of transforming characters that carry special meaning in a given language or format into a safe representation. When you include a raw string inside code or a data format, certain characters — such as quotes, backslashes, angle brackets, or percent signs — can be misinterpreted. Escaping converts those characters into sequences the parser treats as literal text rather than syntax.
The reverse operation, unescaping (also called decoding), converts escape sequences back into the original characters, letting you read or process the raw content.
Different contexts have different rules. A double-quote that breaks a JavaScript string literal requires a backslash prefix (\"), while the same character in HTML content should be written as ", and in a URL it becomes %22. This tool handles all seven of the most common contexts developers encounter every day.
How to Use This Tool
- Select a format — choose from JavaScript/JSON, HTML, URL, XML, CSV, SQL, or Shell/Bash.
- Choose the operation — Escape → converts plain text into escaped form; ← Unescape converts escape sequences back to plain text.
- Paste your input — type or paste the string you want to process into the input area.
- Copy the output — the result appears immediately. Click Copy to copy it to the clipboard, or click ⇅ Swap to load the output back as the new input (flipping the operation).
All processing happens instantly in your browser. No data ever leaves your device.
Supported Formats
JavaScript / JSON
JavaScript strings and JSON values use backslash-based escaping. This mode handles:
| Character | Escape Sequence |
|---|---|
\ | \\ |
" | \" |
' | \' |
| Newline (LF) | \n |
| Carriage return (CR) | \r |
| Tab | \t |
| Backspace | \b |
| Form feed | \f |
| Null | \0 |
| Other control chars | \uXXXX |
When unescaping, the tool also handles \uXXXX four-digit hex sequences, \u{XXXXX} Unicode code-point escapes (ES2015+), and \xXX two-digit hex escapes.
JSON note: Strict JSON does not allow single-quote escaping or \xXX sequences — use \" for values that will be embedded in JSON objects.
HTML Entities
HTML encoding protects against XSS vulnerabilities when inserting untrusted text into HTML documents. The tool escapes the five HTML-critical characters and decodes a broad set of named, decimal, and hex entities:
| Character | Encoded form |
|---|---|
& | & |
< | < |
> | > |
" | " |
' | ' |
When unescaping, the tool recognises decimal references (©), hex references (©), and 30+ named entities including , ©, ®, ™, —, …, €, and the Greek letters commonly used in mathematical content.
URL / Percent-Encoding
URL encoding (percent-encoding) converts characters outside the unreserved set defined by RFC 3986 into %XX sequences using the UTF-8 byte values of each character. This is the correct encoding to apply to query parameter values and path segments.
hello world & more → hello%20world%20%26%20moreThe tool uses encodeURIComponent, which preserves A–Z a–z 0–9 - _ . ! ~ * ' ( ) and encodes everything else — including /, ?, #, &, =, and non-ASCII Unicode characters.
When unescaping, decodeURIComponent is used. If the input contains malformed percent sequences, the tool falls back to a per-byte substitution so you still get a usable result.
XML Entities
XML defines exactly five predefined entities. Unlike HTML, no named entities beyond these five are part of the XML specification (though DTDs may define additional ones).
| Character | XML Entity |
|---|---|
& | & |
< | < |
> | > |
" | " |
' | ' |
When unescaping, the tool also decodes decimal (&#NNN;) and hex (&#xHHH;) numeric character references.
Important: Always escape & before other characters to avoid double-escaping. This tool handles order correctly in a single pass.
CSV
Per RFC 4180, CSV fields that contain commas, double quotes, or newlines must be enclosed in double quotes. Double quotes inside the field are escaped by doubling them:
She said, "Hello, world!" → "She said, ""Hello, world!"""This tool always wraps the escaped output in double quotes, which is the safest approach for interoperability with Excel, Google Sheets, and most CSV parsers. When unescaping, it strips the surrounding quotes (if present) and converts "" back to ".
SQL (ANSI Standard)
The ANSI SQL standard escapes a single quote inside a string literal by doubling it. This is universally supported across PostgreSQL, SQLite, Oracle Database, SQL Server, and MySQL (with NO_BACKSLASH_ESCAPES):
-- Input
O'Brien's data
-- Escaped (safe to embed between single quotes)
O''Brien''s data
-- Usage in SQL
SELECT * FROM users WHERE name = 'O''Brien''s data';Backslash-based escaping (\') is MySQL-specific and not portable. The ANSI doubling approach works everywhere.
Shell / Bash
Shell escaping is one of the trickiest contexts because Bash performs many substitutions — variable expansion, command substitution, globbing, and more — on unquoted strings. The safest method is single-quoting: characters inside single quotes are never interpreted by the shell.
Since a single quote cannot appear inside a single-quoted string, embedded single quotes use the sequence '\'' (close the current single-quoted segment, add a backslash-escaped single quote, then open a new single-quoted segment):
# Input
Hello 'world' & more $(cmd)
# Escaped
'Hello '\''world'\'' & more $(cmd)'This approach prevents all forms of shell injection and is safe for arbitrary strings passed to eval, ssh, or similar commands that expand their arguments through a shell.
Choosing the Right Escape Format
| Context | Use |
|---|---|
| String inside JavaScript/TypeScript code | JavaScript / JSON |
| Value inside a JSON document | JavaScript / JSON |
| Text rendered into HTML (preventing XSS) | HTML |
| Query parameter or URL path segment | URL / Percent |
| Attribute value or text in XML/SVG | XML |
Field value in a .csv file | CSV |
| String literal in a SQL query | SQL |
| Argument passed to a shell command | Shell / Bash |
When building a URL that goes inside an HTML attribute (e.g., href="..."), apply URL-encoding first to the query values, then HTML-encode the entire URL for the attribute context.
Common Mistakes and How to Avoid Them
Double-escaping
Double-escaping happens when you escape a string that is already escaped. For example, if & is HTML-encoded again, it becomes &amp;, which renders as the literal text & instead of &. Use this tool’s Swap button to round-trip your string and verify that unescape(escape(s)) === s.
Using the wrong format for the context
SQL-escaped strings are not safe in shell commands, and shell-escaped strings will not work in SQL. Always match the escape format to the execution context.
Forgetting to escape & first in HTML/XML
If you process <script> before &, the < in < could be mistakenly escaped again. This tool processes characters in the correct order — & first — to avoid producing double-encoded output.
Backslash escaping in SQL
MySQL accepts \' for escaping single quotes, but only in some SQL modes. Other databases do not support it. Use the ANSI doubling method ('') for portable SQL code.
Frequently Asked Questions
Can I use this for JSON serialization? For complete JSON serialization (adding surrounding quotes, handling arrays and objects), use the JSON Formatter tool. This tool escapes the content of a string without adding surrounding quotes — ideal when you need to embed a value into an existing JSON template.
Does URL encoding change the case of hex digits?
encodeURIComponent produces uppercase hex digits (e.g., %2F). Both %2f and %2F are equivalent and universally supported, but uppercase is the convention in modern specs.
Why does my unescaped HTML still show entity codes?
The input likely contains unknown named entities (e.g., ‌) that are not in the tool’s built-in map. For a comprehensive decode, use a full HTML parser. The tool covers the 35+ most common named entities.
Is it safe to escape user input and embed it in SQL queries? SQL escaping is a second line of defence. Parameterised queries (prepared statements) are always the preferred approach because they separate data from structure entirely. Use SQL escaping only when parameterised queries are not available.
What about Unicode surrogate pairs?
For Unicode code points above U+FFFF (emojis, rare CJK characters), this tool uses String.fromCodePoint instead of String.fromCharCode to correctly handle values that require surrogate pairs in JavaScript’s UTF-16 encoding.