Skip to content
Kordu Tools Kordu Tools

String Escape / Unescape

Runs in browser

Escape or unescape strings for JSON, HTML, JavaScript, CSV, and SQL — real-time, client-side, zero dependencies.

Last updated 08 Apr 2026

Escape or unescape strings for six different contexts: JSON, HTML, JavaScript, URL, CSV, and SQL. Choose a format, pick a direction, and paste your text — the output updates in real time. All processing runs client-side using native browser APIs with no data sent to any server.
Loading rating…

How to use

  1. 1

    Choose a format

    Select the escaping format you need: JSON for API payloads, HTML for markup, JavaScript for code strings, CSV for spreadsheet data, or SQL for database queries.

  2. 2

    Select a direction

    Choose Escape to convert plain text to its escaped form, or Unescape to convert an escaped string back to plain text.

  3. 3

    Paste your input

    Type or paste your text into the input panel. The output updates instantly as you type — no button click needed.

  4. 4

    Review the output

    The escaped or unescaped result appears in the output panel. Special characters are converted according to the selected format's rules.

  5. 5

    Copy the result

    Click Copy to copy the output to your clipboard with one click.

Frequently asked questions

What is string escaping?
String escaping converts characters that have special meaning in a given context into safe representations. For example, a < in HTML becomes &lt; so the browser renders it as text instead of starting a tag. Each format has its own set of characters that need escaping and its own escape syntax.
When should I use JSON vs JavaScript escaping?
Use JSON escaping when building JSON payloads for APIs or config files — it handles double quotes, backslashes, and control characters. Use JavaScript escaping when embedding a string in JS source code, particularly when the string uses single quotes or backticks as delimiters.
How is HTML escaping different from URL encoding?
HTML escaping replaces characters like < and & with named entities (&lt;, &amp;) so they display correctly in HTML markup. URL encoding percent-encodes characters so they are safe in a URL. They solve different problems — use HTML escaping inside HTML attributes or content, and URL encoding for URL parameters.
Is my data sent to a server?
No. All escaping and unescaping runs entirely in your browser using native JavaScript. Nothing is transmitted or stored.
What happens if I try to unescape an invalid string?
The tool catches the error and displays a clear message. For example, unescaping a JSON string with invalid Unicode sequences or unescaping HTML with malformed entities will surface a readable error rather than silently corrupting the output.
Can I use this to prevent SQL injection?
SQL escaping here escapes single quotes by doubling them, which is the standard approach for string literals in many SQL dialects. However, parameterized queries and prepared statements are always preferable to string escaping for preventing SQL injection in production code. Use this for debugging, not as a replacement for proper query parameterization.
Does CSV escaping add the surrounding quotes?
Yes. CSV escaping wraps the field in double quotes and doubles any internal double quotes, producing a properly quoted CSV field ready to embed in a CSV row.

String Escape handles the five most common escaping scenarios developers

encounter daily. JSON escaping wraps control characters, quotes, and

backslashes in their \n, \t, \" equivalents so strings are safe inside

JSON payloads. HTML escaping converts &, <, >, ", and ' to their named

entities (&amp;, &lt;, &gt;, etc.) to prevent XSS and malformed markup.

JavaScript escaping is similar to JSON but also handles single quotes and

backticks for template literals. CSV escaping double-quotes fields and

escapes internal quotes by doubling them. SQL escaping singles-quotes your

string and doubles internal single quotes for safe embedding in queries.

The Unescape direction reverses each operation — paste an escaped string

in any format and get the original plain text back. The tool handles numeric

HTML entities (&amp;#123;), hexadecimal entities (&amp;#x7B;), all standard

named entities, and malformed sequences are caught and reported clearly.

All processing is client-side using native browser APIs. Nothing is uploaded,

logged, or transmitted. Useful for debugging API responses, building SQL

queries safely, writing HTML templates, or processing data files.

Related tools

URL Encoder/Decoder

Encode or decode URLs and query string components instantly — supports encodeURIComponent, decodeURIComponent, and full URL encoding.

Base64 Encoder/Decoder

Encode text or files to Base64 or decode Base64 strings back to plain text — real-time, fully in your browser.

JSON Formatter

Format, validate, and minify JSON instantly — with configurable indentation, error location, and tree view.