String Escape / Unescape Free
Escape special characters in strings for JavaScript/JSON, Python, SQL, CSV, and regex — or unescape them back to literal characters. Handles backslashes, quotes, newlines, tabs, null bytes, and Unicode escape sequences. Runs entirely in your browser.
Input
Output
Pro — bulk escape, multi-language batch, regex tester, SQL injection scanner, API access
API access · Priority queue · Team workspace
How It Works
Paste Your String
Paste any string containing special characters that need escaping before embedding in code, or paste an already-escaped string you want to unescape back to literal characters. Common inputs include multi-line text with actual newlines, strings with embedded quotes, file paths with backslashes, SQL query fragments, CSV field values with commas and quotes, or regex patterns with metacharacters. Click Sample to see a representative example for the current language mode.
Select Language
Select the target language or format: JavaScript/JSON (escapes backslash, double-quote, newline, tab, carriage return, null, and form-feed as standard JSON escape sequences), Python (escapes backslash, single-quote, double-quote, newline, tab, carriage return, and null), SQL (escapes single-quote by doubling it, per SQL standard), CSV (escapes double-quotes by doubling them for RFC 4180 field values), or Regex (escapes all metacharacters for use in regex patterns).
Copy or Download
Click Escape to replace special characters with their escape sequences, or Unescape to restore escape sequences back to the literal characters they represent. The output appears in the right panel ready to copy. The stats bar shows the number of escape sequences applied, helping you verify that all special characters in the input were processed. Download saves the output as a plain text file.
String Escape Features
Language-aware escaping for JS, JSON, Python, SQL, CSV, and regex
JavaScript / JSON Escaping
Escapes all characters required for valid JSON strings: backslash (\\), double-quote (\"), newline (\n), carriage return (\r), tab (\t), form-feed (\f), backspace (\b), and null (\0). Control characters below 0x20 are encoded as \uXXXX. The result is safe to wrap in double quotes and embed directly in JSON payloads, JavaScript source code, or HTTP request bodies.
Python String Escaping
Produces escape sequences valid in Python string literals: backslash (\\), single-quote (\'), double-quote (\"), newline (\n), tab (\t), carriage return (\r), null (\0), and form-feed (\f). The output can be wrapped in either single or double quotes and used directly in Python source code, f-strings, and template strings without causing syntax errors.
SQL String Escaping
Escapes single-quote characters by doubling them (' → ''), which is the ANSI SQL standard for single-quote escaping used in MySQL, PostgreSQL, SQLite, Oracle, and SQL Server. This is the correct way to escape literal values for SQL string literals. Note: you should use parameterized queries in production code — string escaping alone is not sufficient protection against all forms of SQL injection.
CSV Field Escaping
Escapes double-quote characters by doubling them (" → "") per RFC 4180, which specifies the CSV quoting convention. The output is ready to wrap in double quotes as a CSV field value. This correctly handles fields containing commas, newlines, and embedded quotes — the three cases that require CSV quoting. Compatible with Excel, Google Sheets, Python's csv module, and any RFC 4180 compliant CSV parser.
Regex Metacharacter Escaping
Escapes all 14 regex metacharacters with a backslash: . * + ? ^ $ { } [ ] | ( ) \. The output can be used as a literal string pattern in JavaScript new RegExp(), Python re.compile(), Java Pattern.compile(), and most other regex engines without accidentally matching regex operators. Essential when building dynamic regex patterns from user input or file paths.
100% Private
All escaping and unescaping runs locally in your browser using JavaScript string manipulation. No data is transmitted to any server. Safe for escaping strings containing database credentials, API keys, password values in config files, private user data in SQL queries, proprietary code snippets, and any other sensitive content that must not be exposed to third-party services.
Free vs Pro
| Feature | Free | Pro |
|---|---|---|
| JS, Python, SQL, CSV, Regex | ||
| Escape & unescape | ||
| Bulk escape (multiple strings) | — | |
| Regex tester & live match | — | |
| SQL injection audit mode | — | |
| REST API access | — |
Frequently Asked Questions
String escaping replaces characters that have special meaning in a programming language, query language, or data format with escape sequences that represent those characters literally. For example, a double-quote inside a JavaScript string literal would end the string prematurely unless escaped as \". Without proper escaping, strings containing special characters cause syntax errors, data corruption, or security vulnerabilities like SQL injection and XSS attacks.
A real newline is an actual line break character (Unicode U+000A) in the text. The two-character sequence \n is an escape sequence that represents a newline in source code string literals — it is not itself a newline. When you write "hello\nworld" in JavaScript, the string contains a real newline between hello and world. This tool's Escape function converts real newlines in the input into the \n escape sequence, suitable for embedding in a string literal. Unescape does the reverse.
A literal backslash must be escaped as a double backslash (\\) in most languages (JavaScript, JSON, Python, Java, C). This is the most common escaping mistake — Windows file paths like C:\Users\Alice must be written as C:\\Users\\Alice in a JavaScript or JSON string literal. Paste the path into this tool with JavaScript/JSON mode selected and click Escape to get the correctly escaped version automatically.
SQL single-quote escaping (doubling quotes) protects against injection in standard single-quoted string contexts, but it is not a complete defense. Injection is still possible in other contexts (numeric parameters, identifiers, stored procedures) and may fail if the database uses a non-standard character set. The secure approach is always to use parameterized queries (prepared statements) with bound parameters, where user input is never concatenated directly into SQL strings. Use this tool's SQL mode for manual inspection, not as a substitute for parameterized queries in production code.
Regex metacharacters that must be escaped with a backslash when you want them to match literally are: . (any char), * (zero or more), + (one or more), ? (optional), ^ (start/negate), $ (end), {} (quantifier), [] (character class), | (alternation), () (group), and \ (escape char itself). Selecting Regex mode and clicking Escape handles all of these automatically, producing a pattern that matches the input string literally.
Yes — all escaping and unescaping runs entirely in your browser using JavaScript. No data is sent to any server. You can verify by opening your browser's developer tools network panel before pasting text and confirming that no requests are made. This makes the tool safe for escaping strings that contain database credentials, API secrets, password values, private user data in SQL queries, and any other sensitive content that should not leave your device.