String Escape/Unescape
A tool for escaping and unescaping special characters in strings for various formats. Essential for data processing, API development, and frontend work!
Examples:
Supported Formats
📝 JSON
Escapes special characters for JSON format.
Escape:
- Newline →
\n - Tab →
\t - Quotes →
\" - Backslash →
\\
Use Cases:
- API request/response
- Configuration files
- Data storage
🌐 HTML
Escapes HTML special characters to prevent XSS attacks.
Escape:
<→<>→>&→&"→"'→'
Use Cases:
- User input display
- XSS prevention
- HTML generation
🔗 URL
Encodes special characters for safe URL transmission.
Escape:
- Space →
%20 - Korean/Special chars → Percent encoding
- Reserved characters → Encoded
Use Cases:
- Query parameters
- URL generation
- API endpoint calls
💻 JavaScript
Escapes special characters for JavaScript strings.
Escape:
- Newline →
\n - Quotes →
\'or\" - Backslash →
\\ - Unicode →
\uXXXX
Use Cases:
- Dynamic script generation
- Template literal processing
- Code generation
📄 XML
Escapes special characters for XML/HTML format.
Escape:
<→<>→>&→&"→"'→'
Use Cases:
- XML document generation
- SOAP API
- RSS/Atom feeds
Practical Examples
Displaying User Input
// Prevent XSS
const userInput = '<script>alert("XSS")</script>';
const escaped = escapeHTML(userInput);
// Result: <script>alert("XSS")</script>
document.getElementById('output').textContent = escaped;
API Request
// JSON escape
const data = {
message: 'Hello\nWorld\t!'
};
const jsonString = JSON.stringify(data);
// Result: {"message":"Hello\\nWorld\\t!"}
URL Query Parameters
// URL encoding
const searchQuery = '검색어 테스트';
const encodedQuery = encodeURIComponent(searchQuery);
// Result: %EA%B2%80%EC%83%89%EC%96%B4%20%ED%85%8C%EC%8A%A4%ED%8A%B8
const url = `https://api.example.com/search?q=${encodedQuery}`;
Dynamic Code Generation
// JavaScript escape
const userMessage = "It's a \"great\" day!";
const code = `console.log('${userMessage.replace(/'/g, "\\'")}');`;
// Result: console.log('It\'s a \"great\" day!');
Usage Tips
1. Format Selection
- JSON: For API communication or data storage
- HTML: For displaying content on web pages
- URL: For query parameters or path segments
- JavaScript: For dynamically generating code
- XML: For XML documents or RSS feeds
2. When Escaping is Necessary
- ✅ User input display
- ✅ API data transmission
- ✅ Database query generation
- ✅ URL parameter passing
- ✅ Dynamic code generation
3. When Unescaping is Necessary
- ✅ Processing received API data
- ✅ Parsing query parameters
- ✅ Restoring stored data
- ✅ Processing URL-encoded data
Security Considerations
XSS Prevention
Always escape when displaying user input:
// ❌ Dangerous
element.innerHTML = userInput;
// ✅ Safe
element.textContent = userInput;
// or
element.innerHTML = escapeHTML(userInput);
SQL Injection Prevention
Use parameterized queries instead of escaping:
// ❌ Dangerous
const query = `SELECT * FROM users WHERE name = '${userInput}'`;
// ✅ Safe
const query = 'SELECT * FROM users WHERE name = ?';
db.execute(query, [userInput]);
Notes
- Different formats require different escaping methods
- Escaping ≠ Encoding (different concepts)
- Server-side validation is also necessary
- Be cautious with double escaping/unescaping
- Use built-in functions for each language
Related Tools
- JSON Formatter - JSON formatting
- URL Encoder - URL encoding
- Base64 Encoder - Base64 encoding
- Text Diff - Text comparison