Skip to content

String Escape/Unescape

Escape and unescape strings for JSON, URL, HTML, and general use

When special characters need escaping (or unescaping)

If you’ve ever tried to embed a string with quotes into a JSON payload and everything blew up, you know why escaping matters. This tool handles the conversion in four formats: basic string escaping (newlines, tabs, quotes), JSON (full JSON.stringify), URL encoding (percent-encoding), and HTML entities. Works both directions, escape and unescape.

Paste in Hello "World" & <Friends> and here’s what you get:

  • HTML: Hello &quot;World&quot; &amp; &lt;Friends&gt;
  • URL: Hello%20%22World%22%20%26%20%3CFriends%3E
  • JSON: "Hello \"World\" & <Friends>"

What’s supported

  • Basic escaping for \n, \t, \r, \"
  • JSON escaping following JSON.stringify rules (wraps in quotes, handles all special characters)
  • URL percent-encoding (uses encodeURIComponent, encodes more aggressively than encodeURI)
  • HTML entity encoding for <, >, &, "
  • Escape and unescape buttons for each format
  • One-click copy
  • All processing in your browser

How to use it

Paste your text. Click the escape or unescape button for your target format. Copy the output. That’s it.

The bidirectional support is key, you’re not always escaping. Sometimes you’re staring at a URL-encoded string in a log file and you just need to read the original content. Paste it in, click URL Unescape, and there’s your readable text.

Practical scenarios

Building API requests: you’ve got user input that needs to go into a JSON body or a query parameter. Special characters in the wrong place will break your request. Escape first, then embed.

Preventing XSS: rendering user-generated content in HTML? Those <script> tags need to become &lt;script&gt; before they touch the DOM. HTML escaping is your first line of defense, though a real security strategy needs CSP headers and input validation too.

URL query parameters: spaces, ampersands, equals signs, question marks, all of these have special meaning in URLs. If they’re part of your data rather than the URL structure, they need percent-encoding.

Debugging encoded strings: logs and network traces are full of encoded text. Paste a URL-encoded or HTML-encoded string in here and unescape it to see what it actually says. Saves time vs. mentally decoding %20 and &amp; in your head.

Data migration: moving data between systems that use different encoding conventions. Convert from one format to another without writing a throwaway script.

For JSON-specific formatting (pretty-print, validation), check the JSON Formatter. For bulk text replacements, the Find and Replace tool handles that.

One gotcha with URL encoding: this tool uses encodeURIComponent, which encodes more characters than encodeURI. Use it for query parameter values, not for entire URLs.

FAQ

What’s the difference between the four escape types?

Basic handles control characters (newlines, tabs, quotes). JSON applies full JSON.stringify rules. URL converts to percent-encoded values for safe URL transmission. HTML converts to entity names for safe browser rendering.

When do I need URL encoding?

Whenever you’re putting text into URL query parameters or path segments. Characters like spaces, &, ?, and = need encoding so they’re treated as data, not URL structure.

Does HTML escaping stop XSS?

It helps, converting <, >, ", and & to entities prevents the most common XSS vectors. But real XSS prevention requires a layered approach: escaping, content security policies, and input validation together.

Can I unescape text from other tools?

Yes. The unescape functions follow standard specs. Any properly escaped JSON, URL-encoded, or HTML-encoded text should unescape correctly here.

Is this private?

Yes. Everything runs in your browser. Nothing gets transmitted.

escape unescape json url-encode html-encode string

Related Tools

More in Text Tools