What characters are escaped in JSON strings?

In JSON strings, the following characters must be escaped: double quote (\"), backslash (\\), forward slash (\/), newline (\n), carriage return (\r), tab (\t), form feed (\f), backspace (\b), and any Unicode control characters using \uXXXX notation.

String Escape / Unescape

Escape or unescape strings for JSON, HTML, URL, SQL, Regex, and CSV contexts. 100% client-side.

Input

Output

Paste text above and choose a format to escape or unescape.

How to Use the String Escape Tool

Choose a format — select JSON, HTML, URL, SQL, Regex, or CSV from the chips above.
Choose direction — pick "Escape" to encode special characters, or "Unescape" to decode them back.
Paste your text — the output updates in real time as you type.
Copy or download — use the buttons above the output panel.

String Escaping by Format

Each data format has its own rules for handling special characters. Understanding when and how to escape strings prevents security vulnerabilities like SQL injection and cross-site scripting (XSS), and ensures data integrity when transferring text between systems.

JSON Escaping

JSON strings must have certain characters escaped with a backslash. Double quotes become \", backslashes become \\, newlines become \n, tabs become \t, carriage returns become \r, and control characters become \uXXXX sequences. JSON escaping is essential when embedding strings inside JSON objects or when generating JSON programmatically. Many bugs in JSON APIs stem from unescaped newlines or quotes in string values.

HTML Escaping

HTML escaping converts characters that have special meaning in HTML markup into their entity equivalents. The five core HTML entities are: & for ampersand, < for less-than, > for greater-than, " for double quote, and ' for single quote. HTML escaping is a critical defense against cross-site scripting (XSS) attacks — any user-provided text that will be rendered in a web page must be HTML-escaped before insertion into the DOM.

URL Encoding (Percent Encoding)

URLs can only contain a limited set of characters defined by RFC 3986. Any character outside that set must be percent-encoded as %XX where XX is the hexadecimal byte value. This tool uses JavaScript's encodeURIComponent(), which encodes everything except unreserved characters (A-Z, a-z, 0-9, -, _, ., ~). Spaces become %20, slashes become %2F, and so on. Use URL encoding whenever you include user-supplied strings in query parameters.

SQL String Escaping

In SQL, single quotes delimit string literals. A literal single quote inside a string must be doubled — 'O'Reilly' becomes 'O''Reilly'. Backslashes may also need escaping depending on the database engine. This tool applies both transforms. Important: while manual escaping works, parameterized queries (prepared statements) are the correct approach for production applications and provide full protection against SQL injection.

Regex Escaping

Regular expression metacharacters (. * + ? ^ $ { } ( ) | [ ] \) have special meaning and must be escaped with a backslash when you want to match them literally. For example, to match a literal period, write \. rather than . which matches any character. This is especially useful when building regex patterns dynamically from user input.

CSV Escaping

In CSV (Comma-Separated Values) format, fields containing commas, double quotes, or newlines must be enclosed in double quotes. Any double quote within a quoted field is doubled. For example, the value He said "hello", world becomes "He said ""hello"", world" in a properly escaped CSV field. This tool wraps the entire input in double quotes and doubles any internal double quotes, following RFC 4180.

When to Use Escaping vs. Encoding Libraries

For quick ad-hoc conversions, a browser-based tool like this is the fastest option. For production code, always use a well-tested library specific to your language and framework: htmlspecialchars() in PHP, html.escape() in Python, parameterized queries for SQL, and encodeURIComponent() in JavaScript. Libraries handle edge cases that manual escaping may miss, especially for multi-byte Unicode characters. Related tools: JSON Formatter, Base64 Encoder, Hash Generator.

Frequently Asked Questions

String escaping is the process of converting special characters in a string into a safe representation for a specific context. For example, in JSON a double quote inside a string must be written as \" so the parser does not interpret it as the end of the string. Each format (HTML, URL, SQL, etc.) has its own escaping rules.

URL encoding (percent encoding) converts characters into a %XX format suitable for use in URLs, such as converting a space to %20. HTML encoding converts characters into HTML entities, such as converting < to < and & to &, so they display correctly in web pages without being interpreted as HTML tags.

No. This string escape tool runs entirely in your browser using JavaScript. Your input text never leaves your machine. There is no server processing, no logging, and no data storage of any kind.

Select the SQL mode and paste your string. The tool doubles any single quotes (apostrophes) and escapes backslashes, which is the standard approach for safely embedding strings in SQL queries. Note: always prefer parameterized queries in production code rather than manual string escaping.

In JSON strings, the following characters must be escaped: double quote (\"), backslash (\\), newline (\n), carriage return (\r), tab (\t), form feed (\f), backspace (\b), and any Unicode control characters using \uXXXX notation.