Escape and unescape strings for JSON, HTML, URL, Backslash, and RegEx formats instantly.
Editing and transforming text manually is tedious and error-prone. String Escape Tool automates the process so you can escape and unescape strings for json, html, url, backslash, and regex formats instantly in one click. It works with any length of text, from a single sentence to thousands of lines, and runs entirely in your browser for complete privacy.
String escaping is required whenever you embed one type of content inside another. You must escape HTML when inserting user-generated content into a web page (to prevent XSS attacks). Escape JSON strings when constructing JSON manually — quotes and backslashes inside string values must be escaped. URL-encode query parameters that contain special characters (spaces, &, =, etc.). Escape regex strings when building patterns from user input to prevent accidental metacharacter injection.
Cross-Site Scripting (XSS) is a security vulnerability where attackers inject malicious scripts into web pages viewed by other users. For example, if a user submits <script>alert(1)</script> as a comment and it's inserted directly into HTML, the browser executes it. HTML escaping converts < to < and > to >, so the browser treats the input as text rather than markup. Always escape user input before rendering it in HTML contexts.
URL encoding (percent-encoding) converts characters to %XX hex format and is used in query strings, form submissions, and URI components — for example, a space becomes %20 and an ampersand becomes %26. HTML encoding uses named entities and numeric references (&, <, ') and is used when embedding content inside HTML documents. They serve different contexts and are not interchangeable — using URL encoding in HTML (or vice versa) can break your page or introduce security issues.