URL, HTML, JS and JSON escape and unescape

Four kinds of escaping, four different rules

"Escape" is a generic word covering several incompatible transforms. URL-encoding swaps reserved characters for %XX hex sequences so the string is safe in a URL. HTML-escaping replaces characters that have special meaning in HTML markup with named or numeric entities (<, &). JS-escaping inserts backslash sequences so the string can sit inside a JavaScript literal. JSON-escaping is the stricter subset that always parses with JSON.parse.

Knowing which one you need is half the battle - applying the wrong one silently mangles your data or, worse, opens an injection bug.

When to use this tool

• Debugging a malformed URL.If your API call is returning 400, look at the raw query string. Spaces showing up as + or %20, special characters mis-encoded - this tool reproduces both sides.
• Reading entity-encoded HTML.Email previews, RSS feeds, and old database fields often arrive as <p>Hello</p>. Decode to recover the original markup.
• Generating a JS string literal.Copying a multi-line block of text into a source file? Encode as JS to get a single safe quoted literal.
• Crafting a JSON test fixture.If your test data contains quotes and newlines, JSON-escape it once so you can paste it into a "key": "..." pair.

How each form works

• URL-encoding (percent-encoding, RFC 3986).Any byte outside the "unreserved" set (A-Z a-z 0-9 - _ . ~) becomes % followed by two hex digits of its UTF-8 representation. encodeURIComponent is the JavaScript standard.
• HTML entity encoding.The five characters that can change parsing inside HTML (&, <, >, ", ') get replaced with named or numeric entities. Decoders also recognize … and the entire entity table.
• JS string escape.Special characters become backslash sequences: \n, \r, \t, \\, \". Code points outside Latin-1 use \u{...} (ES2015+) or \uXXXX.
• JSON string escape.A stricter subset of the JS rules - \u{...} isn't allowed; surrogate pairs are required for astral characters. Always parsable with JSON.parse.

Common pitfalls

• "It worked locally, broke in production".The client encoded the URL once, then a proxy or middleware encoded it again (double-encoding). %20 becomes %2520. Decode twice to recover.
• Using JS-escape inside JSON.\x20 and \u{1f600} are JS-only. JSON.parse will throw on them. Pick JSON-escape when JSON is the destination.
• HTML-escaping URLs.Putting an HTML-escaped URL into href works because the browser decodes entities. But it's not the same as URL-encoding - & in a query string keeps the ampersand visible while a percent-encoded space (%20) doesn't.
• Stripping rather than escaping.Removing < and > "to prevent XSS" loses the user's content. Escape on output and let the browser show the literal characters; never strip on input.

FAQ

What's the difference between URL-encoding and HTML-escaping?

URL-encoding (percent-encoding) makes a string safe inside a URL. HTML-escaping (entity-encoding) makes a string safe inside HTML markup. They produce different output and are not interchangeable.

When do I need a JavaScript string escape vs a JSON string escape?

They are almost identical, but JS allows \x and \u{...} forms that JSON does not. JSON is the safer subset; use it when in doubt.

Does encodeURIComponent encode the slash?

Yes. URI components include forward slashes, so encodeURIComponent percent-encodes them. Use encodeURI (not on this page) if you need slashes preserved.

Why does my HTML decode strip the tags?

The decoder uses DOMParser, so any real HTML tags in the input are interpreted as markup and their text content is returned. Pass entity-encoded text (<tag>) to recover the literal angle brackets.

Is this tool XSS-safe to use in production?

The output is intended for inspection, not for shipping into production HTML. Use your framework's built-in escapers (Rails sanitize, Django autoescape, React JSX) for runtime output.