String Escape - Free Online Tool | PivaBox

Escape and unescape strings for JSON, JavaScript, HTML, XML, URL, CSV and more

String Escape/Unescape Tool — Convert Text Between Raw and Escaped Formats for JSON, JavaScript, HTML, XML, URL, CSV, Java, and Unicode

Paste or type your source text into the Input textarea. The tool accepts any text — from single-line strings to multi-paragraph documents with special characters. String escaping is a fundamental concept in programming and data interchange: certain characters (like double quotes in JSON, angle brackets in HTML, or newlines in CSV) have special meaning in their respective contexts and must be 'escaped' — replaced with an alternative representation — to be treated as literal text rather than control characters. Conversely, 'unescaping' converts escaped sequences back to their original literal form.
Select the Escape Type from the dropdown — the tool supports 8 distinct escaping schemes: JSON (double quotes, backslashes, control characters → \n, \t, \"), JavaScript (same as JSON plus single-quote string escaping and template literal support), Java (Java string literal escaping with Unicode \uXXXX sequences), HTML (entities like < for <, & for &), XML (the five predefined XML entities plus numeric character references), CSV (field quoting and embedded quote doubling for RFC 4180 compliance), URL (percent-encoding %20 for spaces, %2F for slashes), and Unicode (\uXXXX escape sequences for any non-ASCII character). Choose Escape to add escape sequences or Unescape to convert them back to raw text.
Configure optional settings: Preserve whitespace (HTML/XML only) keeps spaces and line breaks intact rather than normalizing them — important when escaping pre-formatted text or code blocks. Click Process to perform the conversion, then review the output and use Copy Output to transfer the result. The Swap button quickly reverses the direction, and Show Original lets you compare input and output side by side. All escaping and unescaping happens entirely in your browser using JavaScript's built-in string manipulation — your text never leaves your device, making this safe for sensitive data like API keys, authentication tokens, and proprietary source code.

Frequently Asked Questions

Why do different contexts (JSON, HTML, URL) need different escaping rules — can't there be one universal escape format?

Each context has unique syntax rules that emerged from different historical requirements, making a universal format impractical. JSON escaping needs to handle double-quoted strings within a JavaScript-like syntax — the backslash (<code>\</code>) is the escape character, and control characters like newline become <code>\n</code>. HTML escaping is entirely different — instead of backslash sequences, it uses named entities (<code>&lt;</code>) and numeric character references (<code>&#60;</code>) because HTML predates JSON by decades and was designed for document markup, not programming. URL percent-encoding (<code>%20</code> for space) exists because URLs were originally restricted to a small subset of ASCII printable characters — the <code>%</code> prefix signals a hexadecimal byte value. CSV escaping uses yet another approach — doubling embedded quotes (<code>""</code> for a literal double-quote within a quoted field) — because CSV was designed for spreadsheet interchange where backslashes are common in data. The PivaBox converter handles all these schemes correctly in one tool, saving you from needing separate utilities for each format. All conversion is browser-side, so proprietary strings remain private.

What's the difference between JavaScript string escaping and JSON string escaping — aren't they the same?

JavaScript and JSON escaping are closely related but not identical. JSON (RFC 8259) defines a strict subset: strings must be double-quoted, and the only valid escape sequences are <code>\"</code>, <code>\\</code>, <code>\/</code>, <code>\b</code>, <code>\f</code>, <code>\n</code>, <code>\r</code>, <code>\t</code>, and <code>\uXXXX</code>. JSON does NOT support single-quote escaping or hexadecimal escapes like <code>\x41</code>. JavaScript string escaping is more permissive — it supports both single-quoted (<code>'hello'</code>) and double-quoted strings, template literals with backtick (<code>`hello`</code>) that allow embedded expressions (<code>${...}</code>), octal escapes (<code>\101</code>, though deprecated in strict mode), and hexadecimal escapes (<code>\x41</code>). The JSON mode in this tool is strict — it produces output that passes <code>JSON.parse()</code> validation — while JavaScript mode handles the broader set of JS string literal syntax. This distinction matters when generating configuration files or API payloads where JSON validity is required.

What are the most common real-world scenarios where string escaping is essential?

String escaping is encountered daily in software development: (1) API development — when embedding user-generated content in JSON responses, unescaped double quotes or control characters will produce invalid JSON that breaks client parsing. (2) Web security (XSS prevention) — HTML-escaping user input before rendering it in a page is the primary defense against Cross-Site Scripting attacks; unescaped <code><script></code> tags in user comments can execute arbitrary JavaScript. (3) SQL injection prevention — while parameterized queries are preferred, string escaping is a secondary defense for legacy code. (4) CSV export/import — fields containing commas, quotes, or newlines must be properly escaped for RFC 4180-compliant CSV files that open correctly in Excel and Google Sheets. (5) URL construction — query parameter values with spaces, ampersands, or non-ASCII characters must be percent-encoded to form valid URLs. (6) Log file analysis — unescaping log entries to reveal the original user input or error message. The PivaBox String Escape tool handles all these scenarios in a single, free, browser-side utility.