JSON Escape Online — Escape Strings for JSON

Encode ", \, and control characters per RFC 8259 so any string drops cleanly into a JSON document, JS source file, or HTTP body — 100% in your browser.

What is JSON Escaping?

JSON escaping rewrites a raw string so every character that has syntactic meaning to the JSON parser — the double quote ", the backslash \, and every control character below U+0020 — is replaced with its escape sequence (\", \\, \n, , etc.). The result is a self-contained JSON string literal you can drop into any JSON document or JavaScript source file.

RFC 8259 defines exactly which characters must be escaped and how. The OpenFormatter JSON escape tool delegates to the browser's native JSON.stringify, which is the canonical implementation of the spec — no upload, no server, no rate limits.

How to escape a string for JSON — 4 steps

  1. Paste your raw text. Multi-line, quote-heavy, backslash-laden — any string goes into the Input panel. Click Load Sample to load a Windows path with embedded quotes.
  2. Click Run. The escaper invokes JSON.stringify on your machine and produces a fully-quoted RFC 8259 string literal.
  3. Verify the output. Every " is now \", every \ is \\, newlines are \n, tabs \t, and the result has surrounding double quotes.
  4. Drop it into your JSON. Paste the literal as a value in a JSON object, an HTTP request body, or a JS source file — it parses cleanly with JSON.parse.

Sample raw input vs escaped JSON literal

Raw input

{
  "path": "C:\Users\file.txt",
  "msg": "He said "hello"",
  "tab": "col1	col2"
}

Escaped JSON string

"{\n  \"path\": \"C:\\Users\\file.txt\",\n  \"msg\": \"He said \"hello\"\",\n  \"tab\": \"col1\tcol2\"\n}"

RFC 8259 Compliant

Escapes exactly the set the spec requires — quote, backslash, and U+0000 to U+001F — using the named shortcuts \b \t \n \f \r where defined and \u00XX otherwise.

Round-Trip Safe

JSON.parse always recovers the original string from the escaped form, including astral-plane characters stored as UTF-16 surrogate-pair \u escapes.

Browser-Only

Escaping uses the native JSON.stringify on your device. Proprietary text, API keys, and customer records never leave your browser.

Common use cases

  • check_circleEmbedding a multi-line SQL query, regex, or shell script as a JSON string field
  • check_circleEscaping Windows file paths (C:\Users\...) before they hit a JSON config
  • check_circlePreparing raw stack traces or log lines for shipment to Elasticsearch / Loki
  • check_circleDropping a code snippet into a Slack webhook payload that requires JSON
  • check_circleEmbedding HTML or XML markup as a JSON value without breaking parsing
  • check_circleEncoding error messages with embedded quotes for an API error response
  • check_circleBuilding Postman / Insomnia request bodies that contain quote characters
  • check_circleRound-tripping arbitrary text through a JSON column in PostgreSQL or MongoDB

JSON escape vs JS escape vs URL encode

All three encode special characters, but each targets a different parser. JSON escape follows RFC 8259 — it permits only "-delimited strings, has no \xNN or \u{}, and produces output that JSON.parse can read. JavaScript escape is a superset: it allows single quotes, hex bytes, and ES6 code-point escapes, so JS-escaped output is not always valid JSON. URL encode uses percent-encoding (%20, %2F) and is for query strings and path segments, not string literals. Pick the one that matches the destination parser, or you will produce technically-encoded output the destination still rejects.

Need to reverse the operation?

Decode an escaped JSON string, escape for a different format, or browse the full escape and JSON toolkit.

JSON UnescapeJSON FormatterAll Escape Tools

Frequently Asked Questions

Why must `"` and `\` always be escaped in JSON strings?

A JSON string is delimited by a pair of double quotes. An unescaped " inside the string would close it prematurely, leaving the parser to choke on the rest. The backslash is the escape lead-in itself, so it must be doubled (\\) to represent a literal backslash. RFC 8259 lists these two characters as the only "must-escape" characters apart from the U+0000–U+001F range.

Are control characters below 0x20 always escaped?

Yes. RFC 8259 §7 forbids any unescaped character in the range U+0000 to U+001F inside a JSON string. Six of them have shortcuts (\b \t \n \f \r and the implicit ", \), and every other control character must be written as \u00XX. JSON.stringify enforces this automatically.

Why are there no comments allowed inside JSON strings?

JSON has no comment syntax at all — not inside strings, not between members. Inside a string the // and /* sequences are simply two literal characters; outside a string they are a parse error. If you need to ship comments, use JSON5, JSONC, or store the comment as a real key like "_comment".

Does it escape forward slash (/)?

RFC 8259 permits but does not require \/ — a forward slash is legal inside a JSON string with or without a backslash. JSON.stringify does not escape it. The escaped \/ form exists only so a JSON document can be safely embedded inside an HTML <script> tag without producing the </ sequence that would close the script element.

Does it add the surrounding double quotes?

Yes. The output is a complete JSON string literal — opening quote, escaped content, closing quote — so you can paste it directly into a JSON document or a JavaScript source file. This matches JSON.stringify("...") behaviour. Strip the outer quotes if you need only the escaped content.

How does this differ from a JavaScript string escape?

JSON is a strict subset of JavaScript string syntax. The big differences: JSON does not allow single-quoted strings, has no \xNN hex escapes, no \u{...} extended Unicode, no octal escapes, no template literals, and no line continuations. A JS-escaped string may not be valid JSON; a JSON-escaped string is always valid JS.

Will JSON.parse round-trip the escaped output?

Yes. JSON.parse(JSON.stringify(s)) === s for any string s — that is the formal guarantee of RFC 8259 plus the ECMAScript specification. The escape preserves every code point exactly, including astral plane characters that are stored as surrogate pair \u escapes.

Is the input sent to your servers?

No. Escaping runs entirely in your browser using JSON.stringify. Strings containing tokens, secrets, customer data, or proprietary content never leave your device. Open DevTools → Network and click Run to verify no requests are made.

Related Tools

JSON Unescape

Decode RFC 8259 string escapes

JavaScript Escape

Escape strings for JS literals

HTML Escape

Encode HTML-sensitive characters

XML Escape

Encode the 5 XML predefined entities

JSON Formatter

Beautify and indent JSON documents

All Escape Tools

Browse the full escape toolkit

Developer Insights

From the Blog

View all articlesarrow_forward
Formats8 min read

YAML vs JSON in 2024: When to Use Each

A definitive guide on choosing the right data serialization format for modern infrastructure.

Read articlearrow_forward
Engineering6 min read

Why JSON Formatting Matters More Than You Think

How proper JSON structure prevents production bugs, improves debugging, and makes code reviews faster.

Read articlearrow_forward
Privacy4 min read

The Case for 100% Client-Side Data Processing

Why we built OpenFormatter to process all data locally, and what that means for your workflow security.

Read articlearrow_forward
JSON Escape Online — Escape Strings for JSON