String Escaper & Unescaper

Escape special characters in strings for safe inclusion in code or data formats, or unescape previously escaped strings back to their original form. Supports multiple language and format contexts.

Escape/Unescape String

Escape or unescape strings for various contexts (JavaScript, HTML, XML, JSON, URL, CSS)

Mode

Escape Type:

Original String

Escaped String

About String Escaping

String escaping converts special characters into a safe format for a specific context. This prevents syntax errors and security vulnerabilities like XSS attacks.

JavaScript: Escapes quotes, backslashes, and control characters
HTML: Converts <, >, &, quotes to entities
XML: Similar to HTML with apostrophe support
JSON: Wraps string in quotes with proper escaping
URL: Percent-encodes special characters
CSS: Escapes non-alphanumeric characters

How the Escape/Unescape String Tool Works

Paste your string to escape special characters, or input an escaped string to unescape it. Choose the escaping format: JavaScript, JSON, HTML, XML, or URL encoding.

Escaping converts special characters to safe sequences. Quotes become \", newlines become \n, angle brackets become < and >. The exact conversion depends on the target format.

Unescaping reverses the process, converting escape sequences back to original characters. The tool auto-detects the escape format or uses your selection. Preview changes in real-time.

When You'd Actually Use This

Writing JavaScript string literals

Need to include quotes or newlines in JS strings? Escape them properly. Prevents syntax errors and security issues in your code.

Creating JSON payloads

JSON requires proper escaping of strings. Quotes, backslashes, and control characters must be escaped. Generate valid JSON for APIs.

Preventing XSS attacks

User input in HTML needs escaping. Convert < to < to prevent script injection. Essential security practice for web applications.

Embedding code in documentation

Documentation with code examples needs escaping. HTML entities prevent browsers from interpreting code as markup. Clean documentation display.

Processing log files

Log entries may contain special characters. Escape for safe storage and display. Unescape when analyzing or displaying logs.

Working with template engines

Template variables may need escaping. Prevent injection attacks and rendering issues. Most templates auto-escape, but manual control is sometimes needed.

What to Know Before Using

Different contexts need different escaping.HTML escaping differs from JavaScript. JSON has its own rules. URL encoding is different still. Choose the right format for your context.

Double escaping causes problems.Escaping already-escaped text produces \\< instead of <. Track what's already escaped. Unescape before re-escaping.

Some characters are always safe.Alphanumeric characters never need escaping. Only special characters and control codes require escaping. Know which characters are special in your context.

Unicode needs consideration.Some contexts require Unicode escaping. JavaScript supports \uXXXX. JSON requires escaping certain Unicode. Know your format's Unicode rules.

Pro tip: For HTML, escape at the last moment before output. Store raw data, escape when displaying. This prevents double-escaping and preserves data integrity.

Common Questions

What characters need HTML escaping?

At minimum: & < > " and '. & becomes &, < becomes <, etc. Prevents HTML injection and XSS attacks.

How do I escape newlines in JavaScript?

Use \n for newline, \r for carriage return, \t for tab. In template literals (backticks), you can use actual newlines.

What's the difference from URL encoding?

URL encoding uses %XX hex format. Space becomes %20. HTML uses &name; entities. Different purposes: URLs vs markup vs code strings.

Can I escape entire files?

Yes, paste file contents or upload. The tool processes the entire text. Useful for preparing code snippets or documentation.

What about SQL escaping?

SQL uses different escaping (quotes doubled or backslash). This tool focuses on web formats. For SQL, use parameterized queries instead of manual escaping.

How do I unescape HTML entities?

Select HTML unescape mode. & becomes &, < becomes <. Named entities ( ) and numeric ( ) both work.

Is escaping enough for security?

Escaping is necessary but not sufficient. Use Content Security Policy, input validation, and other defenses. Defense in depth is essential.

Other Free Tools

Search tools