ZenovayTools

String Escape / Unescape

Escape or unescape strings for JSON, HTML, URL, JavaScript, SQL, and RegExp. Supports encode and decode in both directions.

How to Use String Escape / Unescape

  1. 1Paste your string into the input.
  2. 2Select the encoding format (JSON, HTML, URL, etc.).
  3. 3Choose Escape or Unescape direction.
  4. 4Copy the output string.
ZenovayAnalytics

Analytics built for founders.

  • Real-time visitor tracking
  • Privacy-first, no cookie banner
  • Set up in two minutes
Explore Zenovay

Related Tools

JSON Formatter & Validator
Format, validate, and beautify JSON data with syntax highlighting and error detection.
JWT Decoder
Decode and inspect JWT tokens. View header, payload, and verify signatures.
Base64 Encode/Decode
Encode text to Base64 or decode Base64 back to text. Supports UTF-8 and binary data.
URL Encode/Decode
Encode or decode URL components. Handle special characters, query strings, and full URLs.

Frequently Asked Questions

What is the difference between escaping and encoding?
Escaping adds special characters (backslashes, etc.) to make a string safe within a specific context without changing the underlying data representation. For example, a JSON string "He said \"hello\"" escapes the inner quotes. URL encoding (percent-encoding) transforms characters into %XX sequences — this is technically encoding, not just escaping. HTML escaping converts < to &lt; so it is treated as text, not markup. Both change how the string is represented, but the decoded/unescaped value remains the same.
When should I use URL encoding vs HTML encoding?
URL encoding (percent-encoding) is for query strings and URL path segments: encodeURIComponent("a b") → "a%20b". Use it when building URLs dynamically. HTML entity encoding is for embedding text in HTML markup: "<script>" → "&lt;script&gt;". Use it when outputting user-provided content into HTML (to prevent XSS). JSON escaping is for embedding strings in JSON payloads or JavaScript code. Each has its own context — using the wrong one is a security risk.
What is a C/JavaScript string escape?
JavaScript and C use backslash escapes within string literals: \n (newline), \t (tab), \r (carriage return), \\ (literal backslash), \" (double quote), \' (single quote), \0 (null byte), \uXXXX (Unicode code point). This escaping is needed when embedding a string in source code. For example, if you have a string containing a newline, in JSON it is represented as \n, in a JS string literal also as \n.
What is SQL escaping?
SQL escaping replaces single quotes (the string delimiter in SQL) with doubled single quotes (''). For example, O'Brien becomes O''Brien in a SQL string. This prevents SQL injection but is NOT a substitute for parameterized queries — use prepared statements instead. This tool shows what SQL-escaped output looks like, but always prefer parameterized queries in production code: INSERT INTO users (name) VALUES ($1) with the value passed separately.
What is RegExp escaping?
Regular expression escaping adds backslashes before characters with special meaning in regex patterns: . * + ? ^ $ { } [ ] ( ) | \. For example, the string "1.0" as a regex pattern matches "1X0" (dot matches any character). Escaped: "1\.0" only matches the literal string "1.0". Use regex escaping when constructing regex patterns from user input: new RegExp(escapeRegExp(userInput)).