Skip to content
epitometool

String escape / unescape

Regex & strings

Escape strings for JSON, JS, CSV, HTML and shell.

Updated

Context

Escapes for inclusion inside a JSON string. Result has no surrounding quotes.

Direction

Plain text

Escaped

  • EnterCopy output
  • KClear input

Quick start

How to escape strings

Pick the target context, paste your string, copy the escaped (or unescaped) result.

  1. Step 1
    Pick a context

    JSON, JS, CSV, HTML, shell or regex — each follows that format's actual escaping rules.

  2. Step 2
    Set direction

    Escape converts plain text to the safe form for the chosen context. Unescape reverses it.

  3. Step 3
    Copy the result

    Hit Copy or press ⌘/Ctrl+Enter. Use Swap ⇄ to round-trip without re-pasting.

In-depth guide

Escape strings safely for JSON, JS, CSV, HTML, shell, and regex

Every text format has its own set of "magic" characters — and getting them wrong is the source of an enormous fraction of real-world bugs (broken JSON, shell-injection vulns, mangled CSV exports, XSS). This tool escapes one string at a time for the six contexts you'll meet most often.

JSON vs JS literal — what's actually different

JSON is a strict subset of JavaScript object literal syntax:

  • JSON strings only support double quotes; JS accepts single, double or backticks.
  • JSON only knows about \", \\, \/, \b, \f, \n, \r, \t, \uXXXX. JS additionally knows \x, \u{…}, \', \0.
  • JSON has no comments. JS does (this is irrelevant for a single string, but worth keeping in mind).

Picking JSON gives you output that's safe in either context. Picking JS gives you the more idiomatic form for a hand-written source file.

CSV the RFC 4180 way

Strict CSV escaping has just three rules:

  • If a value contains ,, ", CR or LF, wrap it in "…".
  • Inside a quoted value, double up any literal " — i.e. he said "hi" becomes "he said ""hi""".
  • Otherwise, output the value unchanged.

This tool implements exactly that. The output is safe to drop into a CSV column without breaking the spreadsheet that opens it.

Shell escaping done right

Never interpolate user input into a shell command unescaped. Shell metacharacters (;, |, &, $(), backticks, …) all execute. Always quote, or better — use the parameterised API of whatever you're calling.

The POSIX-safe approach is single-quote escaping: wrap the value in '…', and replace any embedded single quote with the four-char sequence '\'' (close the literal, escape a single ', re-open the literal). This survives every shell — bash, zsh, sh, dash, ksh — without surprises. We use this scheme; the output is ready to paste as a single argument.

Regex and HTML modes

Regex mode escapes every JS-regex metacharacter (\ ^ $ . * + ? ( ) [ ] { } | /) so the input matches itself literally when dropped into new RegExp(…). Useful when a user-supplied substring needs to feed a search regex without their punctuation being interpreted.

HTML mode escapes the minimal five-char set (& < > " ') — the same logic as the dedicated HTML-entities tool, surfaced here for convenience when you're escaping a single value rather than a body of text.

Frequently asked questions

What's the difference between the JSON and JS modes?

JSON mode follows the strict JSON spec — only double-quoted strings, only `\"`, `\\`, `\/`, `\b`, `\f`, `\n`, `\r`, `\t`, and `\uXXXX` are allowed. JS mode additionally accepts single quotes, `\x` hex escapes and `\u{…}` extended escapes — i.e. it's safe for both a JS source literal and a JSON payload.

Why doesn't CSV escaping wrap my value in quotes?

RFC 4180 says a CSV field only needs to be quoted when it contains a comma, a double quote, a CR or an LF. If your value is plain text, the tool returns it unchanged — pasting `hello world` into a CSV cell needs no escaping. Try `hello, world` or text containing a quote and you'll see the wrapping happen.

How does POSIX shell escaping work?

We wrap the value in single quotes, which makes the shell treat every character literally. The only thing single quotes can't contain is another single quote, so an embedded `'` becomes `'\''` — close the literal, escape one `'`, then re-open. The output is always safe to paste into bash, zsh, sh, dash, ksh.

What does the regex mode escape?

Every metacharacter in JS regex grammar: `\ ^ $ . * + ? ( ) [ ] { } | /`. The output, dropped into a `new RegExp(...)`, matches the input literally — useful when you want to match a user-supplied substring without their punctuation being interpreted.

Can I escape a single string for multiple contexts at once?

Switch the Context buttons — the output recomputes immediately. There's no batch view because the right answer is contextual: a JS literal embedded inside JSON inside HTML needs three nested transforms, and which one is innermost depends on your serialiser.

Is anything uploaded?

No. Every transform is a pure JavaScript function running in your browser. No network requests fire during use; you can paste secrets without leaking them.

Keep exploring

More tools you'll like

Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.

More regex & strings

See all →

Popular across EpitomeTool

Browse all →
Browse all 59+ free tools