BrowserTools
Advertisement
Home / Encoders / Escape & Unescape Tool

Escape & Unescape Tool

Escape or unescape text for HTML, XML, JSON, JavaScript, CSV and URLs, locally in your browser.

Maintained by BrowserTools · Last updated 2026-06-06

Escaping is the act of rewriting characters that have a special meaning in a given format so that they are treated as plain data instead of as syntax. This tool escapes and unescapes text for six common contexts: HTML, XML, JSON strings, JavaScript strings, CSV fields and URLs. Pick the context, choose escape or unescape, and the result updates as you type.

Loading Escape & Unescape Tool… If nothing happens, please enable JavaScript.

Frequently asked questions

What is the difference between HTML and XML escaping here?
They are almost identical: both turn &, <, >, " and ' into entities. The main practical difference is the apostrophe, which XML writes as &apos; while HTML often uses &#39; for wider compatibility. Unescaping handles named entities, decimal (&#39;) and hexadecimal (&#x27;) forms.
Why do JSON and JavaScript string escaping look the same?
Because JSON's string syntax is a strict subset of JavaScript's. Both escape double quotes, backslashes and control characters such as newlines (\n) and tabs (\t). The tool produces the inner content of a string literal, without the surrounding quotes, so you can drop it straight into your code or data.
How does CSV escaping work?
A CSV field only needs quoting when it contains a comma, a double quote, or a line break. In that case the field is wrapped in double quotes and any double quote inside it is doubled (" becomes ""). Fields without those characters are left untouched, which matches RFC 4180.
Does URL mode encode the whole URL or just a component?
It uses component encoding (the equivalent of encodeURIComponent), which percent-encodes reserved characters like /, ?, & and =. That is the correct choice for a single query-string value or path segment. To work on a full URL with its structure intact, use the dedicated URL encoder tool.
Is escaping the same as encryption?
No. Escaping only changes how characters are represented so a parser reads them as data, and anyone can reverse it instantly. It provides no secrecy. For confidentiality you need real encryption, not escaping or encoding.
Is my input uploaded anywhere?
No. All escaping and unescaping happens locally in your browser, so payloads, tokens and exported data never leave your device.

About Escape & Unescape Tool

The reason this matters is safety and correctness. Putting an unescaped angle bracket into HTML can break the page or open a cross-site scripting hole; an unescaped quote inside a JSON string makes the whole document fail to parse; a comma in a CSV field shifts every column after it. Each format has its own rules: HTML and XML use entities like &lt; and &amp;, JSON and JavaScript use backslash sequences like \" and \n, CSV wraps a field in double quotes and doubles any inner quotes, and URLs percent-encode reserved characters into forms like %20.

Everything runs locally in your browser, so you can paste API payloads, snippets and exported data without it leaving your device. The escape and unescape directions are exact inverses for well-formed input, and an 'Use output as input' button lets you chain or reverse a transformation in one click.

The escape character

The idea of an 'escape character', one symbol that changes the meaning of the next, is old enough to predate modern computing. The ASCII control code 27, still sent by the Escape key, was used by terminals to introduce control sequences, and the backslash was adopted by the C language in the early 1970s to embed quotes and newlines inside string literals. That backslash convention spread to almost every language that followed, which is why JSON and JavaScript escaping look so familiar.

The web added its own layer. HTML inherited SGML's ampersand entities so that authors could write a literal less-than sign without starting a tag, and URL percent-encoding was defined so that addresses could travel safely through systems that only understood a limited set of ASCII characters. Each scheme solves the same underlying problem in a different costume: how to say 'treat this character as data, not as instruction'.

Related tools

URL Encode / Decode

Percent-encode or decode URLs and query parameters, component-safe and full-URI modes.

Base64 Encoder & Decoder

Encode and decode Base64 text or files locally in your browser.

JSON Validator & Formatter

Validate, format and minify JSON in your browser with detailed error locations.
Advertisement