Is my data sent to a server?

No. All escaping and unescaping runs 100% in your browser. Your strings never leave your device.

What is string escaping?

String escaping converts special characters to their escaped representations so they can be safely included in a specific context. For example, a double quote in a JSON string must be escaped as \" to avoid terminating the string prematurely.

What escape modes does this tool support?

JSON (\n, \t, \", \\), HTML entities (&, <, >, "), URL encoding (%20, %3A), JavaScript string literals, SQL string escaping, CSV escaping, and regex escaping.

What is the difference between URL encoding and HTML encoding?

URL encoding (percent-encoding) converts characters to %XX format for safe inclusion in URLs. HTML encoding converts characters to HTML entities (&, <) for safe rendering in HTML. A string may need both if it appears in a URL inside an HTML attribute.

What is SQL injection and how does escaping prevent it?

SQL injection occurs when user input is concatenated directly into a SQL query, allowing attackers to modify the query structure. Escaping single quotes and other special characters prevents this — but parameterized queries are the correct solution, not manual escaping.

Dev Toolkit — 55+ Free Client-Side Developer Utilities

Q: What is SQL injection and how does escaping prevent it?

SQL injection occurs when user input is concatenated directly into a SQL query, allowing attackers to modify the query structure. Escaping single quotes and other special characters prevents this — but parameterized queries are the correct solution, not manual escaping.

About the String Escape / Unescape Tool

Special characters mean different things in different contexts — a backslash in a file path, a quote in a JSON string, an ampersand in HTML, a percent sign in a URL. Escaping converts these characters to their safe representations for the target context. This tool escapes and unescapes strings for JSON, HTML, URLs, JavaScript, SQL, CSV, and regex — all in your browser.

Escape mode reference

JSON

Escapes ", \, newlines, tabs, and control characters for safe inclusion in JSON string values.

HTML

Converts <, >, &, ", and ' to HTML entities to prevent XSS in rendered HTML.

URL

Percent-encodes characters not allowed in URLs. Use encodeURIComponent for query parameter values; encodeURI for full URLs.

Regex

Escapes regex metacharacters (. * + ? ^ $ [ ] | ( ) \) so a string can be used as a literal pattern in a regular expression.

Pipeline

JSON Formatter — format JSON that contains escaped strings.
URL Encoder — encode/decode full URLs with query parameters.
Text Case Converter — convert case before escaping for use in identifiers.

Frequently asked

Is my data sent to a server?: No. All escaping and unescaping runs 100% in your browser. Your strings never leave your device.
What is string escaping?: String escaping converts special characters to their escaped representations so they can be safely included in a specific context. For example, a double quote in a JSON string must be escaped as \" to avoid terminating the string prematurely.
What escape modes does this tool support?: JSON (\n, \t, \", \\), HTML entities (&, <, >, "), URL encoding (%20, %3A), JavaScript string literals, SQL string escaping, CSV escaping, and regex escaping.
What is the difference between URL encoding and HTML encoding?: URL encoding (percent-encoding) converts characters to %XX format for safe inclusion in URLs. HTML encoding converts characters to HTML entities (&, <) for safe rendering in HTML. A string may need both if it appears in a URL inside an HTML attribute.
What is SQL injection and how does escaping prevent it?: SQL injection occurs when user input is concatenated directly into a SQL query, allowing attackers to modify the query structure. Escaping single quotes and other special characters prevents this — but parameterized queries are the correct solution, not manual escaping.