String Escape & Unescape Tool

Escape and unescape strings for HTML, JSON, URL, SQL, JavaScript, and regex

The string escape tool converts text between raw form and escaped form for different programming contexts. Choose the target encoding — HTML entities, JSON string, URL percent-encoding, SQL, JavaScript, or regex — and instantly get the correctly escaped output with one-click copy. Supports both escaping and unescaping.

How to Use the String Escape Tool

Different programming contexts require different escaping conventions. Inserting user input into HTML without escaping causes XSS vulnerabilities. Building SQL queries with unescaped strings enables SQL injection. This string escape tool handles all common contexts automatically so you can safely embed strings anywhere.

HTML Entity Escaping

Converts <, >, &, ", and ' to their HTML entity equivalents. Essential when rendering user-supplied content in HTML to prevent cross-site scripting (XSS) attacks.

URL Encoding

Percent-encodes characters that are not allowed in URLs — spaces become %20, & becomes %26, etc. Use this when constructing query string parameters manually.

JSON String Escaping

Escapes characters required by the JSON spec: backslashes, double quotes, and control characters like newlines and tabs. Use this when building JSON strings by hand rather than using JSON.stringify().

Regex Escaping

Adds backslashes before all regex metacharacters: . * + ? ( ) [ ] { } ^ $ | \. This is critical when building regex patterns dynamically from user input — unescaped metacharacters will change the pattern's meaning or cause errors.

More Free Tools

URL Encoder / Decoder

Encode and decode URLs and query parameters

Base64 Encoder / Decoder

Encode and decode Base64 strings

HTML to Markdown Converter

Convert HTML to clean Markdown

JSON Formatter

Format and validate JSON data

Regex Tester

Test and debug regular expressions

Frequently Asked Questions

Is this string escape tool free?

Yes, completely free with no signup required. All processing runs locally in your browser.

What is HTML escaping?

HTML escaping converts special characters to HTML entities so they display correctly in web pages. For example, < becomes &lt;, > becomes &gt;, and & becomes &amp;. This prevents XSS attacks when displaying user input in HTML.

What is URL encoding?

URL encoding (percent encoding) replaces characters that aren't allowed in URLs with a % followed by two hex digits. For example, spaces become %20, & becomes %26. Use this when building query strings or embedding data in URLs.

When do I need JSON string escaping?

JSON strings must escape certain characters: double quotes (\"), backslashes (\\), and control characters like newlines (\n) and tabs (\t). If you're embedding user input in a JSON string manually, use JSON escaping to prevent syntax errors.

What is regex escaping?

Regex escaping adds backslashes before metacharacters like . * + ? ( ) [ ] { } ^ $ | \ so they are treated as literal characters rather than regex operators. Essential when dynamically building regex patterns from user input.