String escaping is the process of modifying special characters in a string so they can be safely interpreted in a specific context. Without proper escaping, characters like quotes, backslashes, angle brackets, and newlines can break data formats, introduce security vulnerabilities, or cause unexpected behavior in applications.
Every developer encounters string escaping regularly: when building JSON, writing SQL, outputting HTML, working with file paths, or constructing regular expressions. Understanding which characters need escaping and why is a fundamental skill.
Why Escaping Is Necessary
Every data format and programming language has a set of characters with special meaning. When your data happens to contain those characters, you must signal to the parser that they are literal values, not syntax.
In a JavaScript string delimited by double quotes, if your string contains a double quote, you must escape it with a backslash so the parser does not think the string ended. "He said "hello"" contains escaped quotes that are part of the string content.
In HTML, the less-than sign has special meaning as the start of a tag. To display "3 < 5" as text rather than the start of an invalid tag, you write "3 < 5".
In SQL, a single quote terminates a string literal. The name "O'Brien" in an SQL query requires the apostrophe to be escaped, typically by doubling it to "O''Brien" or using parameterized queries.
JSON Escaping
JSON strings must escape the following: double quotes (which delimit the string), backslashes, and control characters including newlines, tabs, carriage returns, and others. Characters with Unicode code points below 32 must be represented using Unicode escape sequences.
Common JSON escapes: backslash becomes double-backslash, newline becomes backslash-n, tab becomes backslash-t, double quote becomes backslash followed by a double quote.
JavaScript String Escaping
JavaScript strings support similar escape sequences. Backslash starts an escape sequence, so a literal backslash requires double-backslash. Single and double quotes can be escaped depending on the string delimiter. Template literals (template strings delimited by backticks) require escaping backticks and dollar signs followed by braces.
HTML Escaping
HTML escaping prevents cross-site scripting (XSS) attacks and display errors. The five characters requiring escaping in most contexts are: ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote (' or ').
Any user-provided content displayed in an HTML page must be HTML-escaped before insertion. Failing to escape user input is one of the most common XSS vulnerabilities.
SQL Escaping
SQL injection is one of the most prevalent security vulnerabilities in web applications. It occurs when user input is concatenated directly into SQL queries without escaping. Proper escaping or, better, parameterized queries prevent malicious input from altering the query structure.
Character escaping in SQL varies by database: MySQL uses backslash before special characters, PostgreSQL and SQL Server use quote doubling. Using parameterized queries is safer than manual escaping because the database driver handles the transformation correctly.
URL Escaping
URLs can only safely contain a subset of ASCII characters. Special characters and non-ASCII text must be percent-encoded: each byte is represented as a percent sign followed by two hexadecimal digits. A space becomes %20, a slash becomes %2F.
This is distinct from URL encoding for query strings, where spaces are sometimes represented as plus signs. The distinctions matter when constructing URL components manually.
Shell Escaping
When passing values to shell commands, characters like spaces, quotes, dollar signs, and backticks have special meanings. Wrapping values in single quotes escapes most of them, but single quotes themselves require special handling.
Using the DevHexLab String Escaper
Open the tool at /tools/text/string-escaper. Paste any string and select the target format (JSON, JavaScript, HTML, URL, SQL). The tool applies the correct escaping rules and shows the result. You can also unescape strings to see their original content. Use it whenever you need to safely embed string data in a specific context.