Escape & Unescape

Free Online Escape & Unescape Tools

Escape and unescape HTML, XML, JSON, JavaScript, Java, .NET, CSV, and SQL. All 16 tools run client-side — your data stays private.

html
HTML Escapearrow_forward
html
HTML Unescapearrow_forward
code
XML Escapearrow_forward
code
XML Unescapearrow_forward
javascript
JavaScript Escapearrow_forward
javascript
JavaScript Unescapearrow_forward
code
Java Escapearrow_forward
code
Java Unescapearrow_forward
code
.Net Escapearrow_forward
code
.Net Unescapearrow_forward
code
JSON Escapearrow_forward
code
JSON Unescapearrow_forward
table
CSV Escapearrow_forward
table
CSV Unescapearrow_forward
database
SQL Escapearrow_forward
database
SQL Unescapearrow_forward

What Is Character Escaping and Why Does It Matter?

Character escaping converts special characters (like <, &, or ") into safe encoded equivalents so they can be safely embedded in HTML, XML, JSON strings, SQL queries, or source code without breaking the surrounding syntax.

Failing to escape user input is a leading cause of XSS vulnerabilities and SQL injection attacks. Our tools make escaping and unescaping fast, accurate, and language-specific.

Common Use Cases

  • check_circleEscape HTML entities before inserting user content into a web page
  • check_circleEscape XML special characters in SOAP request bodies
  • check_circleEscape JSON strings containing backslashes or control characters
  • check_circleEscape SQL values to prevent injection in dynamic queries
  • check_circleUnescape HTML entities from CMS or email template output
  • check_circleEscape Java or C# strings containing special characters

Frequently Asked Questions

What is the difference between escaping and encoding?

Escaping replaces special characters with safe equivalents within the same format (e.g. & → &amp; in HTML). Encoding transforms data into a different representation entirely, like Base64 or URL percent-encoding.

Which characters need to be escaped in HTML?

The five essential HTML entities are: & (&amp;), < (&lt;), > (&gt;), " (&quot;), and ' (&#39;). Our HTML escape tool handles all of them automatically.

Why are there different escape tools for each language?

Each language has its own rules for which characters need escaping and what the escape syntax looks like. Java, C#, JavaScript, and SQL all differ in how they handle backslashes, quotes, and newlines.

Can unescaping break my data?

Only if the data was not properly escaped in the first place, or if you unescape it more than once. Always unescape exactly once, matching the format in which it was originally escaped.

Developer Insights

From the Blog

View all articlesarrow_forward
Encoding7 min read

What is URL Encoding? A Complete Guide

From RFC 1738 origins to how percent-encoding works today — everything about URL encoding in web development.

Read articlearrow_forward
JavaScript6 min read

URL Encoding in JavaScript: encodeURI vs encodeURIComponent

A practical guide to the four URL encoding functions in JavaScript with real code examples.

Read articlearrow_forward
Web Dev5 min read

Common URL Encoding Mistakes and How to Avoid Them

Double encoding, encoding full URLs, mixing + and %20 — subtle bugs that only appear in production.

Read articlearrow_forward
Free Online Escape & Unescape Tools