All Tools / Dev Tools / String Escape & Unescape Online โ€” JSON, XML, HTML, SQL, URL
Input (Plain)
Chars: 0 Size: 0 B
Output (Escaped)
Chars: 0 Size: 0 B Ratio: โ€”
All escaping and unescaping runs 100% in your browser. Your text never leaves your device.

String Escape & Unescape โ€” JSON, XML, HTML, SQL, URL

What does escaping do?

Every text-based format has characters with reserved meaning โ€” quotes in JSON, angle brackets in HTML and XML, single quotes in SQL literals, percent signs in URLs. Escaping replaces those characters with safe equivalents so the string parses as data instead of being interpreted as markup or syntax. Picking the wrong escape format is how bugs and injection vulnerabilities slip in.

How to use

  1. Pick Escape or Unescape.
  2. Choose the target format: JSON, XML, HTML, SQL, or URL.
  3. Type or paste your string โ€” conversion happens in real time.
  4. Press Sample to load a format-specific example.
  5. Press Swap to feed the output back into the input.

Frequently Asked Questions

Which format should I pick?

Match the format to where the string will end up. Embedding a value in a JSON payload? Use JSON. Putting it inside an XML attribute? Use XML. Rendering inside an HTML page? Use HTML. Building a SQL literal (only when parameterized queries aren't an option)? Use SQL. Sending it as part of a URL query parameter? Use URL.

What's the difference between JSON and HTML escaping?

JSON escapes characters that would break the JSON syntax โ€” quotes, backslashes, control characters โ€” using backslash sequences like \" and \n. HTML escapes characters that would be parsed as markup โ€” <, >, &, and quotes โ€” using named or numeric entities like &lt; and &amp;. The two are not interchangeable: pasting JSON-escaped text into HTML still leaves you open to XSS.

Is SQL escaping enough to prevent SQL injection?

No. SQL escaping (doubling single quotes, escaping backslashes) covers the common cases but databases differ in edge cases โ€” encoding, comment syntax, NULL bytes. Parameterized queries (prepared statements) are the only reliable defense. Use this tool to inspect or build literals during development, not as a production injection guard.

Why does the JSON escape mode keep the input on one line?

JSON escape produces the string contents of a JSON value โ€” newlines become \n, tabs become \t, quotes become \". The result is what you'd put inside the double quotes of a JSON string. If you want the full JSON string literal, wrap the result in quotes yourself.

Does this tool send my data to a server?

No. All escape and unescape conversions run in your browser using JavaScript. Your input never leaves your device.