String Escape/Unescape

Escape or unescape strings for JSON, HTML, XML, C#, JavaScript, and SQL — prevent encoding errors and injection vulnerabilities.

Format

Input

Result

Examples

JSON: Hello "World" → Hello \"World\"
HTML: <div> → <div>
C#: Line1\nLine2 (with actual newline escaped)
SQL: O'Brien → O''Brien

What Is String Escaping?

String escaping is the process of replacing special characters in a string with escape sequences so the string can be safely embedded in a specific context (JSON, HTML, SQL, etc.) without breaking syntax or introducing security vulnerabilities. Unescaping reverses the process, converting escape sequences back to their original characters.

Without proper escaping, characters like ", ', <, &, and \ can terminate strings prematurely, corrupt data, or — in the worst case — enable injection attacks (XSS, SQL injection).

Escape Rules by Format

Format	Characters Escaped	Escape Syntax	Why It Matters
JSON	`" \ / \b \f \n \r \t`	Backslash prefix (`\"`)	Unescaped quotes break JSON parsing
HTML	`< > & " '`	Named/numeric entities (`<`)	Prevents XSS and rendering issues
XML	`< > & " '`	Entity references (`&`)	Preserves well-formed XML structure
C#	`" \ \n \r \t \0`	Backslash prefix (`\\`)	Keeps string literals syntactically valid
JavaScript	`' " \ \n \r \t`	Backslash prefix (`\'`)	Prevents string termination in JS code
SQL	`'`	Double single-quote (`''`)	Prevents SQL injection in queries

How to Use This Tool

Select the target format from the dropdown (JSON, HTML, XML, C#, JavaScript, or SQL).
Paste your text into the Input area.
Click Escape to encode special characters, or Unescape to decode them.
Copy the result from the output area.

Common Use Cases

API Development: Escape user input before embedding it in JSON payloads to prevent malformed responses.
Web Security: HTML-escape user-generated content to prevent Cross-Site Scripting (XSS) attacks.
Database Queries: SQL-escape values in dynamic queries (though parameterized queries are always preferred).
Code Generation: Escape strings for embedding inside C# or JavaScript source code.
Debugging: Unescape over-encoded strings to see the original content.

Frequently Asked Questions

They are related but different. Escaping replaces specific characters with escape sequences within the same character set (e.g., " → \" in JSON). Encoding transforms the entire string into a different representation (e.g., Base64, URL percent-encoding). Both serve to make data safe for a specific context. Try our URL Encoder for percent-encoding.

No. Always use parameterized queries (prepared statements) in production code. Manual SQL escaping is error-prone and cannot protect against all injection vectors. This tool is useful for debugging and one-off data inspection, not for building application security.

Double escaping occurs when an already-escaped string is escaped again — e.g., \" becomes \\\". This usually happens when serialization runs twice (e.g., JSON-encoding a value that is already a JSON string). To fix it, unescape the string once using this tool and identify where the extra encoding step occurs in your code.