When do I need to escape JSON?

Whenever a JSON string is going somewhere that has its own quoting rules: inside another JSON document as a value, inside an HTML attribute, inside a SQL query literal, inside a shell command, inside a YAML quoted scalar, or inside a regex pattern. Escaping turns the characters that would break the outer context into safe escape sequences.

What characters get escaped?

The six required escapes are double quote ("), backslash (\), backspace (\b), form feed (\f), newline (\n), carriage return (\r) and tab (\t). Any other ASCII control character (codepoints 0–31) becomes a \u00XX hex escape. Forward slash (/) may optionally be escaped as \/ — JSONNeat leaves it unescaped, which is also valid.

What is the difference between escaping and encoding?

Escaping changes specific characters into safer sequences while staying in the same character set (\n instead of a literal newline). Encoding changes the entire representation, like UTF-8 encoding turning a string into bytes, or Base64 turning bytes into ASCII. They are different operations and not interchangeable.

Why does my escaped string have lots of backslashes?

Each level of embedding doubles backslashes. A string containing a quote, embedded once becomes \" ; embedded twice becomes \\\" ; three times becomes \\\\\\\". This is the famous "backslash explosion" you see in deeply nested logs and webhook payloads.

Will escaping change the meaning of my text?

No. Escaping is fully reversible — running the output back through the unescape mode produces byte-identical input. The escaped form is just a different textual representation of the same string value.

When should I unescape?

When you have a string that was meant to be a JSON value but was stored or transmitted in its escaped form — for example, a webhook payload field that contains \"event\": \"signup\" as a literal string. Unescaping recovers the underlying JSON for further parsing.

Is this the same as URL encoding or HTML encoding?

No. URL encoding turns special characters into %XX sequences for use in URLs. HTML encoding turns < into < for use in HTML. JSON escaping uses backslash sequences specific to JSON strings. Mixing them up is a common source of double-encoding bugs.

Do I need to escape Unicode characters like é or 中?

No. JSON strings are Unicode by default — emoji, accented letters, CJK characters are all legal as-is. Some legacy systems require pure ASCII output, in which case every non-ASCII character is replaced with a \uXXXX escape. JSONNeat keeps Unicode as-is for readability; let us know if you need an ASCII-only mode.

Is my data sent anywhere?

No. The escape and unescape operations run entirely in your browser using local JavaScript. Nothing is uploaded, logged or transmitted — safe for processing tokens, credentials, or any other sensitive string.

JSON escape and unescape

Make a string safe to drop inside a JSON value (or recover the original).

Pick a mode, paste your text, and the converted version appears. Use it when you need to embed a JSON document inside another JSON document, an HTML attribute, or a SQL literal — anywhere quotes and newlines would otherwise break things.

Input

Output

Last updated June 2026 · Maintained by the JSONNeat author

What escaping means

A JSON string is a sequence of characters between two double quotes. Most characters can appear literally — letters, digits, spaces, even most Unicode. A handful can't, because they would either end the string early or confuse the parser. Escaping rewrites those characters into safe sequences; a later parser turns them back.

The complete list of characters that must be escaped inside a JSON string:

" (double quote) — would end the string
\ (backslash) — would start an escape sequence
\b (backspace, U+0008)
\f (form feed, U+000C)
\n (line feed, U+000A)
\r (carriage return, U+000D)
\t (horizontal tab, U+0009)
Any other control character (codepoints U+0000 through U+001F) becomes \u00XX

Forward slash (/) is the one optional case. It's legal to escape it as \/, but not required. Some HTML-embedding tools choose to escape it because </script> inside a JSON-as-script payload would otherwise prematurely close the surrounding tag. JSONNeat does not escape forward slashes by default — handle that downstream if you embed JSON in HTML.

The five places escaping comes up in real code

JSON inside JSON. A webhook payload field that itself contains a JSON document. The inner document's quotes are escaped so the outer document is still parseable. After parsing the outer document, you unescape the field to get back the inner JSON.
JSON inside HTML. Server-side rendering pages with embedded JSON state often write something like <script>window.__STATE = {...};</script>. If any string contains</script>, the page breaks. The safe pattern is to escape forward slashes (or useJSON.stringify with a replacer that does so).
JSON inside SQL. Storing a JSON document as a string column in MySQL or Postgres requires escaping the embedded quotes for the SQL literal syntax. Most ORMs do this for you; if you're writing raw SQL by hand, use parameter binding instead of string concatenation.
JSON inside shell commands. curl -d '{...}' works until your JSON contains a single quote, at which point you need shell-specific escaping plus JSON escaping. Most tutorials get this wrong; prefer --data-binary @file.json or stdin instead.
JSON inside YAML. YAML supports JSON as a subset of its quoted-scalar syntax, but the escape rules differ. A safer pattern in YAML is the literal block scalar (|) with the JSON document indented underneath.

Worked example: escape and unescape round trip

Start with a string that contains a quote and a newline:

She said "hello"
to the world.

After JSON-escaping (mode: Escape):

She said \"hello\"\nto the world.

Notice that the literal newline became \n and each quote became \". The escaped form is one logical line and contains no characters that would break a JSON string literal.

Paste that escaped form back into the tool with mode set to Unescape, and you get the original two-line string with the quotes restored. The round trip is exact, including the trailing newline if there is one.

The infamous "backslash explosion"

Every layer of embedding doubles the number of backslashes you see in the wire format, because each layer escapes the previous layer's escapes. A string containing a single double quote, transported through three layers of escaping, looks like:

Layer 0 (original): "
Layer 1 (escaped once): \"
Layer 2 (escaped twice): \\\\\"
Layer 3 (escaped three times): \\\\\\\\\\\"

When you see a webhook payload bristling with backslashes, count them in pairs to figure out the depth. An odd-looking \\\\\\\\\" almost always means the data passed through three serialisation boundaries. JSONNeat's unescape mode peels one layer at a time — run it repeatedly until the result stops changing.

Common mistakes

Using URL encoding instead of JSON escaping. They are different operations.%20 is URL-encoded; is JSON-escaped. URL encoding inside a JSON string will be treated as literal text, not interpreted as a space.
Double escaping. Calling JSON.stringify on an already-stringified JSON value produces a string with everything escaped twice. The fix is to JSON.parse first, then stringify once.
Forgetting to escape backslash. Easy to miss because the visual change is small. Windows paths and regex patterns are the usual sources.
Pasting smart quotes. The escape tool happily escapes “ and ”but they are not equivalent to ". If your downstream parser expects ASCII quotes, replace them before escaping.
Escaping when you should be encoding. If you're embedding a binary blob (an image, a key) inside JSON, Base64-encode it first, then put the resulting ASCII string into a JSON value. JSON escaping alone won't make raw bytes safe.

Related JSONNeat tools

JSON validator — check whether a document parses
JSON formatter — pretty-print for reading
JSON minifier — strip whitespace for the wire

Privacy

Escaping and unescaping happen entirely client-side. Your text is never uploaded — paste tokens, API keys, customer data or any other sensitive string with the same confidence you'd have running the equivalent script on your own machine.

Frequently asked questions

When do I need to escape JSON?: Whenever a JSON string is going somewhere that has its own quoting rules: inside another JSON document as a value, inside an HTML attribute, inside a SQL query literal, inside a shell command, inside a YAML quoted scalar, or inside a regex pattern. Escaping turns the characters that would break the outer context into safe escape sequences.
What characters get escaped?: The six required escapes are double quote ("), backslash (\), backspace (\b), form feed (\f), newline (\n), carriage return (\r) and tab (\t). Any other ASCII control character (codepoints 0–31) becomes a \u00XX hex escape. Forward slash (/) may optionally be escaped as \/ — JSONNeat leaves it unescaped, which is also valid.
What is the difference between escaping and encoding?: Escaping changes specific characters into safer sequences while staying in the same character set (\n instead of a literal newline). Encoding changes the entire representation, like UTF-8 encoding turning a string into bytes, or Base64 turning bytes into ASCII. They are different operations and not interchangeable.
Why does my escaped string have lots of backslashes?: Each level of embedding doubles backslashes. A string containing a quote, embedded once becomes \" ; embedded twice becomes \\\" ; three times becomes \\\\\\\". This is the famous "backslash explosion" you see in deeply nested logs and webhook payloads.
Will escaping change the meaning of my text?: No. Escaping is fully reversible — running the output back through the unescape mode produces byte-identical input. The escaped form is just a different textual representation of the same string value.
When should I unescape?: When you have a string that was meant to be a JSON value but was stored or transmitted in its escaped form — for example, a webhook payload field that contains \"event\": \"signup\" as a literal string. Unescaping recovers the underlying JSON for further parsing.
Is this the same as URL encoding or HTML encoding?: No. URL encoding turns special characters into %XX sequences for use in URLs. HTML encoding turns < into < for use in HTML. JSON escaping uses backslash sequences specific to JSON strings. Mixing them up is a common source of double-encoding bugs.
Do I need to escape Unicode characters like é or 中?: No. JSON strings are Unicode by default — emoji, accented letters, CJK characters are all legal as-is. Some legacy systems require pure ASCII output, in which case every non-ASCII character is replaced with a \uXXXX escape. JSONNeat keeps Unicode as-is for readability; let us know if you need an ASCII-only mode.
Is my data sent anywhere?: No. The escape and unescape operations run entirely in your browser using local JavaScript. Nothing is uploaded, logged or transmitted — safe for processing tokens, credentials, or any other sensitive string.