Escape and unescape strings for JavaScript, HTML, URL, SQL and Regex. Instant conversion with live preview.
The String Escape / Unescape Tool handles encoding and decoding of special characters across five common contexts: JavaScript, HTML, URL, SQL, and Regex. Switch between modes with a single click, paste your input, and get the escaped or unescaped result instantly with live preview. All processing runs entirely in the browser with no data sent to any server.
String escaping is the process of converting special characters in a string so they are treated as literal characters rather than control characters in the target context. For example, a double quote " inside a JavaScript string literal must be written as \" to prevent it from ending the string prematurely. Failing to escape strings correctly is one of the most common causes of injection vulnerabilities - SQL injection, XSS (Cross-Site Scripting), and command injection all typically result from unescaped user input being interpreted as code.
Select the JavaScript tab above and paste your string into the input - the tool will escape backslashes (\\), double quotes (\"), single quotes (\'), newlines (\n), carriage returns (\r), and tabs (\t). The escaped output is safe to embed inside JavaScript string literals. For safe JSON embedding use JSON.stringify() in code. Never embed unescaped user-supplied strings directly into JavaScript or HTML - this is how XSS vulnerabilities are introduced.
In HTML, five characters must be escaped to prevent them from being parsed as markup: & -> &, < -> <, > -> >, " -> ", and ' -> '. Failing to escape < and > in user-generated content allows attackers to inject arbitrary HTML tags, and failing to escape & and " in attribute values can break attribute parsing or inject event handlers. The HTML tab in this tool handles all five standard HTML escapes.
Select the URL tab and paste your value - the tool uses JavaScript's encodeURIComponent() to encode reserved characters like spaces (%20), ampersands (%26), equals signs (%3D), and other special characters into percent-encoded equivalents safe for use in query string values. Decoding uses decodeURIComponent() to reverse the process. URL encoding is required when you include special characters in query parameter values, form submissions, or API request URLs.
Regex metacharacters - . * + ? ^ $ { } ( ) | [ ] \ - have special meaning in regular expressions. To match them literally, each must be preceded by a backslash. For example, to match the literal string $5.00 in a regex you must write \$5\.00. Select the Regex tab above and the tool will escape all metacharacters in your input string, producing a pattern safe for use in new RegExp() or an inline regex literal to match the exact text you entered.