What is String Escaping?
String escaping replaces special characters with safe sequences that can appear in contexts where the raw character would otherwise cause syntax errors, security issues, or data corruption. Every programming language and data format has its own escape rules — using the wrong ones (or forgetting them entirely) is a common source of bugs, injection vulnerabilities, and broken output.
This tool supports seven formats: HTML, JavaScript, JSON, Python, SQL, Regular Expressions, and CSV.
HTML Escaping
HTML reserves five characters that must be escaped inside element content and attribute values:
| Raw character | Escaped form |
|---|---|
& | & |
< | < |
> | > |
" | " |
' | ' |
Forgetting to escape user-supplied text before embedding it in HTML is the root cause of Cross-Site Scripting (XSS). Always escape at the point of output, not at the point of input.
JavaScript String Escaping
Inside a JavaScript string literal, the backslash \ acts as an escape prefix:
| Sequence | Character |
|---|---|
\\ | Backslash |
\" | Double quote |
\' | Single quote |
\n | Newline (LF, U+000A) |
\r | Carriage return (U+000D) |
\t | Horizontal tab (U+0009) |
\0 | Null character (U+0000) |
\b | Backspace (U+0008) |
\f | Form feed (U+000C) |
\v | Vertical tab (U+000B) |
\uXXXX | Unicode code point |
JSON String Escaping
JSON is stricter than JavaScript: only double-quoted strings are valid, and only a specific set of escape sequences is permitted by RFC 8259. Control characters (U+0000–U+001F) that are not handled by a named sequence must be encoded as \uXXXX.
Python String Escaping
Python uses the same backslash convention as JavaScript with one addition: \a represents the bell/alert character (U+0007, \x07). Python’s raw strings (r"...") disable escape processing — useful when writing regular expressions.
SQL Escaping
SQL uses a different convention: a single quote inside a string literal is escaped by doubling it (''), not by a backslash. Some database engines (notably MySQL with default settings) also treat \\ as an escaped backslash. Always use parameterised queries instead of manual string escaping in production code — SQL escaping by hand is error-prone.
Regular Expression Escaping
Regular expression engines assign special meaning to these metacharacters:
. * + ? ^ $ { } ( ) | [ ] \ -If you want to match any of these literally, prefix them with a backslash. For example, to match a literal dot use \. rather than . (which matches any character). This tool escapes all metacharacters to produce a safe literal pattern.
CSV Escaping (RFC 4180)
CSV has no universal standard, but RFC 4180 is widely adopted. The rules are:
- If a field contains a comma, double quote, newline, or carriage return, wrap it in double quotes.
- Escape a double quote inside a quoted field by doubling it:
"He said ""hello""".
A field without special characters requires no quoting and is left unchanged.
Roundtrip Safety
Every escape type in this tool is designed to be fully reversible: escaping a string and then unescaping the result always returns the original input. You can verify this with the Escape → copy output → paste as input → Unescape workflow.