String Escaper

Escape and unescape strings for JSON, HTML, URL and Regex contexts

What is it and how does it work?

String escaping converts special characters into safe sequences that a parser, interpreter or transport layer can handle correctly. In JavaScript, a backslash in a string must become \\; a newline becomes \n; a double-quote inside a double-quoted string becomes \". Without escaping, these characters terminate the string or are misinterpreted, causing syntax errors, injection vulnerabilities, or garbled data.

This tool handles the most common escaping contexts: JavaScript/JSON strings, HTML entities (turning < into &lt;), SQL string literals, regex patterns, CSV fields, and shell/bash arguments. It also works in reverse — unescaping converts those sequences back to readable text. Choosing the wrong escaping context is a frequent source of bugs, so the tool labels each mode clearly.

Common use cases

• Embedding JSON in HTML: a JSON value containing quotes and angle brackets must be HTML-escaped before placing it in a data attribute to prevent XSS.
• SQL query building: escape a user-supplied name before inserting it in a SQL string literal — single quotes must become '' or \' depending on the database.
• Regex literals: if you're building a regex from user input, escape it first so dots, brackets and other metacharacters are treated as literals, not pattern syntax.

Frequently asked questions

What is the difference between escaping and encoding?

Escaping replaces special characters with sequences meaningful to the current parser (e.g. \" in JavaScript). Encoding transforms content to a different representation entirely (e.g. Base64 or percent-encoding). Both serve safety, but they're not interchangeable — use the right one for the target context.

Why is manual string escaping risky for SQL?

It's easy to miss edge cases, and a missed quote can allow SQL injection. Parameterised queries (prepared statements) are the safe standard — they separate data from code structurally.

What characters must be escaped in JSON?

The JSON spec requires escaping: double-quote (\"), backslash (\\), and control characters U+0000–U+001F (as \uXXXX). Forward slash (/) may optionally be escaped as \/ but does not need to be.

Does HTML escaping prevent XSS?

HTML entity escaping prevents most XSS when applied to text content and attribute values. However, it must be context-aware: text in a <script> block needs JavaScript escaping, not HTML escaping. A single escaping function applied indiscriminately is not sufficient.

Text

Uppercase / Lowercase · Word Counter · Character Counter · Lorem Ipsum Generator · Remove Extra Spaces · Sort Text Lines