JSON Escape / Unescape
Escape special characters in a plain text string so it can be safely embedded inside a JSON value. Or unescape a JSON-encoded string back to its original readable form. All processing happens locally in your browser.
JSON Escape Characters Reference
| Character | Escaped | Description |
|---|---|---|
| " | \" | Double quote — must be escaped inside JSON strings |
| \ | \\ | Backslash — must be escaped to avoid ambiguity |
| newline | \n | Line feed / new line character |
| tab | \t | Horizontal tab character |
| carriage return | \r | Carriage return character |
| / | \/ | Forward slash (optional but valid) |
| backspace | \b | Backspace character |
| form feed | \f | Form feed character |
When Do You Need to Escape JSON?
- Embedding a JSON string inside another JSON string value
- Storing JSON in a database field as a string
- Passing JSON as a query parameter in a URL
- Including JSON inside HTML attributes or JavaScript string literals
- Sending JSON in email bodies or log files where special characters cause issues
Escape vs Encode — What's the Difference?
JSON escaping adds backslash sequences for special characters within a string value. It is different from URL encoding (which uses % sequences) and Base64 encoding (which converts binary to ASCII). Use JSON escaping when you need to embed a string safely inside a JSON document. Use URL encoding for query parameters, and Base64 for binary data.
Use the JSON validator to check the complete document.
JSON Escape vs Other Encoding Methods
Developers often confuse JSON escaping with other encoding techniques. Understanding the difference helps you choose the right tool for each situation.
- JSON Escape — adds backslash sequences inside JSON string values. Use when embedding text inside a JSON document. Example:
"He said \"hello\"" - URL Encoding — converts characters to percent-encoded sequences like
%20. Use for query parameters and URL paths. - Base64 Encoding — converts binary data to ASCII text. Use for embedding files or images in JSON or HTML.
- HTML Escaping — converts
<to<. Use when inserting text into HTML pages to prevent XSS attacks.
Complete JSON Escape Sequences Reference
The JSON specification (RFC 8259) defines the following escape sequences that must or can be used inside JSON string values:
\"— double quotation mark (required when inside a string)\\— reverse solidus / backslash (required)\/— solidus / forward slash (optional)\b— backspace (U+0008)\f— form feed (U+000C)\n— line feed / newline (U+000A)\r— carriage return (U+000D)\t— horizontal tab (U+0009)\uXXXX— Unicode escape sequence for any character
Practical Examples of JSON Escaping
Here are real-world scenarios where JSON escaping is required:
// Storing a Windows file path (backslashes must be escaped)
{"path": "C:\\Users\\Alice\\Documents"}
// Storing HTML content inside a JSON string
{"html": "Hello World
"}
// Multi-line text stored as a JSON string
{"message": "Line 1\nLine 2\nLine 3"}
// JSON containing a serialized JSON string (double-escaped)
{"data": "{\"name\":\"Alice\",\"age\":28}"}
How to Avoid JSON Escape Errors
- Always use
JSON.stringify()in JavaScript to generate JSON — it handles escaping automatically - Never manually build JSON strings by concatenating raw values — this leads to escape errors and security vulnerabilities
- Use a JSON validator after manually editing JSON to catch any missed escape sequences
- When storing user input in JSON, always pass it through a JSON serializer, never embed it raw
- Be especially careful with file paths on Windows — every backslash must be doubled
Why JSON Escaping Matters for Security
Improper JSON escaping can lead to serious security vulnerabilities. If user-supplied text is embedded into a JSON string without proper escaping, an attacker could inject additional JSON keys or break out of the string context entirely — a form of JSON injection. Always escape user input before embedding it in JSON, and use established serialization libraries rather than building JSON strings manually.
Related Tools
- JSON Formatter & Validator — format and validate your full JSON document
- HTML Escape / Unescape — escape HTML special characters to prevent XSS
- URL Encoder / Decoder — percent-encode URLs and query strings
- JSON Beautifier — pretty-print JSON with custom indentation
- Common JSON Errors — fix the most frequent JSON syntax mistakes