ToolActToolAct

JSON Escape Tool

Quickly escape and unescape JSON strings

Input
Characters: 0
Bytes: 0
Output
Characters: 0
Bytes: 0

Select Conversion Method

What is JSON Escape?

JSON escaping is the process of converting special characters in JSON strings to escape sequences. Common escape characters include: double quotes to \" , backslash to \\, newlines to \n, tabs to \t, etc. Use cases: When you need to embed JSON within another JSON string, define JSON string constants in code, or store JSON data in a database, escaping is required. JSON escaping prepares text so it can be placed safely inside a JSON string. Quotes, backslashes, line breaks, tabs, and control characters need correct escaping or the parser may treat them as structure instead of content. Common targets include API payloads, configuration values, logs, embedded error messages, and test data. Escaping a string does not validate the entire JSON document, and it does not automatically make the result safe for HTML, JavaScript, SQL, or shell contexts.

How to Use

How to use

  1. Paste or enter text in the input box
  2. Click 'JSON Escape' to escape special characters (e.g., " to \")
  3. Click 'JSON Unescape' to restore escaped characters (e.g., \" to ")
  4. Results appear automatically below, ready to copy

Escaping Notes

  • Escape text for the target context only; JSON strings, JavaScript source, URLs, and HTML attributes have different escaping rules.
  • After unescaping, check line breaks, backslashes, and quotes before pasting into configuration files.

Use Cases

Embedding text safely inside JSON stringsWhen an error message, SQL fragment, regex, Windows path, or multi-line prompt needs to become a JSON string value, escape mode converts quotes, backslashes, newlines, and control characters into JSON-safe sequences. The character and byte counts help you notice payload growth before pasting it into an API request. Everything is processed in the browser via the standard JSON.stringify step, so the source string never leaves the page.
Reading escaped payloads from logsAPI gateways and logging systems often show JSON string values with escaped newlines and quotes. Unescape mode turns those sequences back into readable text, making it easier to inspect stack traces, serialized prompts, webhook bodies, and copied configuration values. The unescape uses the browser's JSON.parse path, so the rebuilt characters stay local and only appear in the output field until you copy them yourself.
Round-tripping tricky text locallyBecause the tool relies on the browser JSON parser and stringifier, it mirrors normal JSON string escaping rules instead of inventing a custom dialect. That makes it a good local scratchpad for checking whether a value will survive being placed inside a JSON document. The input string is processed in the browser only - no API call is made, so drafts that include stack traces, prompts, or unreleased copy never cross the network.
Escape values for inclusion in a JSON-in-JSON fieldWhen a webhook payload must carry a serialized JSON object as the value of a string field, run the inner JSON through escape mode so the outer parser still reads it as one string. Pair the output with an unescape pass on the receiver side to confirm round-trip integrity before shipping the contract. Because the escape is a local stringify, you can experiment with edge cases like nested quotes or embedded \u sequences without exposing the contract to outside tools.
Spot control characters hiding in copied textPasted text from terminals, PDFs, or chat apps often contains NUL bytes, BEL, or stray CR characters that quietly break downstream JSON parsers. Escaping surfaces these as \u0000-style sequences so they can be reviewed and stripped, rather than turning the document into an invalid blob. The scan runs entirely against the in-page JSON encoder, so pasted strings that contain private snippets are surfaced and rewritten without ever leaving the browser tab.

Technical Principle

JSON (RFC 8259) is a strict text grammar; every string literal must be wrapped in ASCII double quotes (U+0022), and any character that could break that grammar must be expressed as a backslash escape. The mandatory escapes are: double quote to backslash-quote, backslash to double-backslash, and the 32 control characters from U+0000 to U+001F (which include \b U+0008, \f U+000C, \n U+000A, \r U+000D, \t U+0009). Any character above U+001F may appear in the string as its raw UTF-8 byte sequence, including CJK ideographs, emoji, accented letters, and other supplementary characters. The forward slash character is optional to escape (\/), but the convention is to escape it when the JSON is embedded inside HTML <script> tags, so that the closing-script-tag sequence does not close the surrounding script element prematurely. Two layers of escaping show up in practice. JSON escape (the syntactic substitution) is the only one RFC 8259 requires: it ensures the string is valid JSON, period. Unicode escape (rewriting each character as \uXXXX or \u{XXXXX}) is a representational choice, not a syntactic requirement - it only changes how the bytes look in the file, not what they decode to. CJK text is already valid in JSON as its raw UTF-8 bytes; the page Unicode-escape mode rewrites it as \uXXXX, which is useful when feeding the string into a Java or JavaScript source file where the surrounding parser would otherwise have to deal with multi-byte UTF-8, but it adds 4-6 bytes per character and obscures readability. The escape rules have corner cases. JSON.parse is strict about leading zeros (01 is a parse error, even though JavaScript would accept it as octal 1); JSON.stringify in V8 always produces minimum-necessary escapes (control characters as \b/\n/\r/\t/\f when possible, otherwise as \uXXXX, and the solidus /, U+2028, U+2029 are left raw for human-readable output). A lone surrogate (a high surrogate not followed by a low surrogate) is technically valid JSON per RFC 8259, but JSON.parse in strict mode or in TypeScript rejects it as InvalidString; the page escape mode replaces lone surrogates with \uFFFD (replacement character) so the output round-trips through any standard parser. For JavaScript source-code embedding, the JSON string needs a third escape layer: JSON inside a JS string literal must escape the backslashes themselves. The page JS string output mode adds that double-escape, and the eval or JSON.parse button shows that the two encodings decode to the same string. Embedded-in-HTML contexts add a fourth layer: <, >, & need HTML entity escaping in the surrounding page, and attribute values need quote-escaping too. JSON-in-HTML is famously dangerous (the </script> pitfall above) and is best avoided in favour of safe sinks like textContent assignment or JSON.stringify into a <script type="application/json"> block (read later via script.textContent, never eval). JSON5 (a popular superset) adds single-quoted strings, multi-line strings, unquoted keys, trailing commas, NaN/Infinity, and single-line // comments. The page does not produce JSON5 output; if you need to round-trip, use a dedicated library.

  • JSON strings (RFC 8259) must escape double quote to backslash-quote, backslash to double-backslash, and the 32 control characters U+0000..U+001F (\b \f \n \r \t, plus the rest as \uXXXX). Everything above U+001F is valid raw UTF-8, including CJK, emoji, and accented letters.
  • Two layers of 'escape' show up: JSON escape (syntactic, required) makes the string valid JSON; Unicode escape (representational) rewrites characters as \uXXXX and only changes readability, not validity.
  • Optional '/': / to \/ is allowed in JSON. Convention: escape it when embedding JSON in HTML <script> so the closing-script-tag sequence does not close the surrounding tag.
  • CJK is not escaped in raw UTF-8 JSON: the example '你好' is 6 raw bytes. The page Unicode-escape mode rewrites it as \u4f60\u597d for use in source files, which trades readability for compatibility.
  • Lone surrogates: a high surrogate (U+D800..U+DBFF) not followed by a low surrogate is technically valid JSON per RFC 8259, but JSON.parse in strict mode or TypeScript rejects it. The page replaces lone surrogates with \uFFFD so the output round-trips through strict parsers.
  • JSON.parse is strict: leading zeros (01) are a parse error, NaN/Infinity are not valid literals, trailing commas are not allowed. JSON.stringify in V8 always produces minimum-necessary escapes and leaves solidus / and U+2028/U+2029 raw for readability.
  • JSON-in-JS: to embed a JSON string in a JS string literal, double the backslashes. The page 'JS string' output adds that layer; eval on the result gives the same string as JSON.parse.
  • JSON5 superset: single-quoted strings, multi-line strings, unquoted keys, trailing commas, NaN/Infinity, single-line // comments. The page produces strict RFC 8259 JSON, not JSON5.

Examples

Strings With Double Quotes and Backslashes

Input:  He said "Hello\World"
Output: He said \"Hello\\World\"

Strings With Newlines and Tabs

Input:  Line1\tIndent\nLine2
Output: Line1\tIndent\nLine2

Strings With Chinese and Double Quotes

Input:  {"name": "Alice", "msg": "He said \"Hi\""}
Output: {\"name\": \"Alice\", \"msg\": \"He said \\\"Hi\\\"\"}

FAQ

What does escaping a JSON string do?

It wraps the input in quotes and replaces each special character with its JSON-safe escape sequence: " → \", \ → \\, newline → \n, tab → \t, control characters → \u00NN. The result is a valid JSON string literal you can paste into another JSON document or a code editor.

Why would I need this?

Common cases: embedding a multi-line message inside a JSON config file, passing a JSON string as a command-line argument, putting JSON inside JSON (e.g. an API request body that is itself a JSON-encoded string), or sanitising user input before logging.

Is escaping the same as URL encoding?

No. JSON escaping uses \n, \", \u00XX. URL encoding uses %20, %22, %0A. Different syntactic contexts, different escape rules. Use whichever matches the destination format.

Will the unescape mode handle every JSON escape?

Yes - all standard escapes (\", \\, \/, \b, \f, \n, \r, \t, \uXXXX). Surrogate pairs for code points above U+FFFF (\uD83D\uDE00 = 😀) are reassembled into the actual emoji. Malformed escape sequences produce an error you can correct.

What's the difference between escaping a string and stringifying an object?

Escaping turns a piece of text into a quoted JSON string. Stringifying (JSON.stringify) turns a JavaScript object into a full JSON document. This page does the first; for the second, write the object as JSON in your code editor or use a JSON formatter.

Are control characters always escaped?

Yes - JSON requires it. Newlines, tabs, NULL, and other ASCII control characters (0x00-0x1F) must be escaped or the resulting string is not valid JSON. Some implementations also escape DEL (0x7F) and characters above U+FFFF; the page follows RFC 8259 strictly.

Is the data sent anywhere?

No. Escaping and unescaping run in your browser. Pasted text is not uploaded.