Developer Tools
String Escaper / Unescaper
Escape and unescape strings for JSON, HTML, URL, regex, SQL, and Base64. Instantly convert between escaped and raw text.
String escaping reference
| Context | Characters that need escaping |
|---|---|
| HTML | & -> &, < -> <, > -> >, " -> " |
| JSON string | ", \, newline (\n), tab (\t),
control chars |
| JavaScript string | ', ", `, \, ${ |
| SQL | ' -> '' (or use parameterized queries) |
| URL (percent-encoding) | All non-unreserved characters: %20 for space, etc. |
| Regex | . ^ $ * + ? ( ) [ ] { } \ | |
| Shell (bash) | ' " ` \ $ ! & ; | ( ) < > |
Why escaping matters
Insufficient escaping is the root cause of injection attacks (SQLi, XSS, command injection).
The golden rule: always escape or parameterize data when inserting it into a different
context. Never build queries or HTML by concatenating user input without escaping.
Injection attack examples
Understanding what can go wrong illustrates why escaping is critical:
- SQL injection: if a login form takes username input and builds a query like
SELECT * FROM users WHERE name = ''input'', a user who types admin' OR '1'='1 turns it into a query that returns all users, bypassing authentication.
Parameterized queries prevent this entirely.
- XSS (Cross-Site Scripting): if a page displays user-supplied input directly
as HTML, a user can inject
<script>alert(document.cookie)</script> to execute JavaScript in other
users' browsers. HTML-escaping user content prevents this.
- Command injection: passing user input to a shell command without escaping
(e.g.,
exec("ls " + userInput)) allows an attacker to append ; rm -rf / or exfiltrate files.
Encoding vs. escaping
These terms are related but distinct:
- Escaping transforms specific characters that have special meaning in a context
into a safe representation (e.g., HTML-escaping
< to <). The original characters are preserved
semantically.
- Encoding transforms data from one representation to another (e.g., Base64, URL
percent-encoding, UTF-8). It changes the form of the entire string, not just special characters.
Context-specific security tools
- Parameterized queries / prepared statements: the correct solution for SQL
injection - never build queries by string concatenation. All major database libraries
support parameterized queries.
- Template engine auto-escaping: frameworks like Jinja2, Twig, Blade, and
React JSX automatically HTML-escape variable output. Opt-in "raw" or "unsafe" modes should
only be used with trusted content.
- Shell argument quoting: in Python, use
shlex.quote() to safely escape
shell arguments. In Node.js, prefer execFile() over exec() to pass arguments as an array without shell interpretation.