Common character mappings for the current mode:
This online string escape tool is simple yet powerful, supporting seven common escape modes. Here is a detailed guide:
Select an escape mode: Click the corresponding button in the mode selection area at the top of the page to switch between escape modes. The tool supports JSON, HTML, URL, Regex, JavaScript, SQL, and XML modes. Each mode has its own set of escape rules and character mapping table.
Escape operation: Enter the raw text you want to escape in the input box on the left, then click the "Escape" button. The tool will replace special characters with their corresponding escape sequences based on the currently selected mode. For example, in HTML mode, < is escaped to <, and in JSON mode, double quotes are escaped to \".
Unescape operation: Paste the escaped text into the input box and click the "Unescape" button. The tool will convert escape sequences back to their original characters. The unescape function supports batch processing, allowing you to restore multi-line text in one go.
Quick actions: Click "Swap" to move the result to the input area; "Copy" copies the result to the clipboard with one click; "Result to Input" moves the result directly into the input field for further processing.
String escaping is widely used in web development, data processing, and system administration. Here are some typical scenarios:
Dynamic HTML generation: Before inserting user input into HTML, it must be HTML-entity escaped to prevent XSS (cross-site scripting) attacks. For example, a malicious <script> tag in a user comment should be escaped to <script> to prevent the code from executing.
JSON data handling: When manually constructing JSON strings or debugging API responses, you need to escape double quotes, backslashes, and newline characters within the string. This tool can quickly perform JSON string escaping and unescaping, improving development and debugging efficiency.
Regular expression construction: When building regular expressions dynamically, special metacharacters must be escaped. For example, if user input contains ., *, or ?, they must be escaped to \., \*, and \? to match literal characters.
SQL statement concatenation: Although parameterized queries are recommended, in scenarios where SQL strings must be concatenated manually, single quotes within strings must be escaped to prevent SQL injection vulnerabilities.
HTML Entity Encoding: HTML entities are character references starting with &. They are divided into named entities (e.g., < for less-than) and numeric entities (e.g., < or <). All ASCII characters can be represented using numeric entities, while named entities are only defined for specific characters.
URL Encoding (Percent-Encoding): URL encoding converts non-ASCII characters and reserved characters into the %HH format, where HH is the hexadecimal ASCII value of the character. For example, a space becomes %20, and the Chinese character "中" becomes %E4%B8%AD. RFC 3986 defines which characters must be encoded.
JSON Escape Specification: According to the ECMA-404 standard, JSON strings must escape double quotes (\"), backslashes (\\), control characters, and Unicode characters (\uXXXX). Newlines are escaped to \n, carriage returns to \r, and tabs to \t.
Security Reminder: Escaping operations themselves do not provide encryption; they simply ensure that characters can be parsed correctly within a specific syntax. To protect sensitive data, use HTTPS for transmission and AES or other encryption algorithms. For user input, always validate and escape again on the server side.
String escaping is the process of replacing special characters with escape sequences so they can be correctly parsed in a specific context. For example, in HTML the < character is escaped to <, and in JSON a double quote is escaped to \".
Escaping replaces special characters with sequences that include backslashes or entity names, keeping the character somewhat readable. Encoding transforms characters into completely different representations, such as Base64 or percent-encoded URLs.
Yes. The tool supports multi-line text input, allowing you to escape or unescape large amounts of text at once. Results can be copied to the clipboard with a single click.
No. All escaping operations are performed locally in your browser using pure JavaScript. Data is never uploaded to any server, ensuring the security of sensitive information.
The tool supports seven modes: JSON escaping, HTML entity escaping, URL encoding, regular expression escaping, JavaScript string escaping, SQL string escaping, and XML entity escaping.
Yes. Each escape mode provides a corresponding unescape function. For example, the HTML entity < can be restored to <, and JSON's \" can be restored to a double quote.
JavaScript string escaping converts special characters into forms that can be safely used inside string literals, such as converting newlines to \n, tabs to \t, and backslashes to \\. This is essential when dynamically generating JavaScript code.