What characters need to be escaped in JSON strings?

Backslash (\\), double quote (\"), control characters (\u00XX for codepoints below 0x20), newline (\n), carriage return (\r), tab (\t), and form feed (\f). Forward slash escaping (\/) is optional — most parsers leave it as-is.

How are Unicode characters handled?

Codepoints in the BMP (basic multilingual plane) become \uXXXX. Characters outside the BMP (emoji, supplementary plane) require surrogate pairs — two \uXXXX sequences. The tool handles surrogate pairs correctly when the input is well-formed.

What's the difference between escape and unescape?

Escape converts raw text into a valid JSON string literal (wrapping in quotes and escaping special characters). Unescape reverses it: takes a JSON string literal and recovers the original text. Round-tripping should give you back the input you started with.

When would I use this in real life?

Embedding code or multi-line text in JSON config (CI YAML with embedded shell scripts, log lines with stack traces, API requests with multi-line description fields). Any time you need to put text-with-special-characters inside a JSON string value.

Is my input sent to a server?

No. Conversion runs entirely in your browser — safe for sensitive log lines, tokens, or PII.

May 2, 20266 min read

JSON Escape Online: String Escape Guide (Step-by-Step)

Need a JSON escape online tool that handles every edge case? Here's the practical guide. You need to embed a chunk of text inside a JSON string — maybe a code snippet inside an email template, a stack trace inside a structured log, or a multi-line description inside a config file. Hand-escaping \ as \\, " as \", and newlines as \nis one of those tasks that's slightly faster to do in a tool than to remember the rules for.

In this guide you'll learn how to escape and unescape JSON strings using PDFFlare's JSON Escape tool — what gets escaped, what doesn't, how Unicode escapes work, and the use cases where pasting through this tool saves ten minutes of fiddly debugging.

How to Use a JSON Escape Online Tool Correctly

The interactive tool above does most of the work. The rest of this guide covers patterns, edge cases, and production tips you'll want to keep in mind.

What Gets Escaped in JSON Strings?

Backslash (\) → \\.
Double quote (") → \".
Newline / carriage return / tab → \n / \r / \t.
Control characters (codepoints below 0x20) → \u00XX.
Forward slash (/) — optional; most parsers leave it as-is, but you can escape as \/ for HTML embedding safety.

How to Escape and Unescape JSON Strings (Step by Step)

Open PDFFlare's JSON Escape tool.
Paste your raw text or escaped string. The tool detects which mode (escape or unescape) you need.
Click Escape or Unescape. Output is a valid JSON string literal (escape) or the underlying plain text (unescape).
Copy and paste. Drop into your JSON config, log line, API request, or wherever you need it.

Real Use Cases

Embedding code in JSON config

Your CI config has a multi-line shell script in a JSON value. Paste the script, escape, embed.

Reading a structured log entry

The log line has a stack trace as a single escaped JSON string. Unescape and read it normally.

Building API requests by hand

curl/Postman test where the body is JSON and one field is something like a multi-line description. Escape once, paste into the body.

Round-tripping copy/pasted JSON

A teammate sent you JSON via Slack and Slack double-escaped it. Run the unescape to recover the real value.

Common Mistakes (and How to Avoid Them)

Escaping a string that already has escapes. Run a preview first — if you see \\\\nin the output, you're double-escaping. Unescape, then escape once.
Forgetting Unicode normalisation. Some characters have multiple Unicode representations (NFC vs NFD). The tool preserves the input bytes; if the difference matters, normalise upstream.
Treating \u as the only Unicode escape. Surrogate pairs (👍 for 👍) require both halves. The tool handles surrogate pairs correctly when the input is well-formed.

Privacy: Your Input Stays Local

Conversion runs in your browser. Safe for sensitive log lines, tokens, or PII.

Related Workflows in the JSON Suite

Adjacent tools you might find useful while working on the same JSON document: the JSON Formatter and JSON Viewer both pair well with the conversion above. The first handles a different output format that consumers of your data may prefer; the second covers the validation side of the same workflow.

Related Tools

JSON Formatter — format the document you're embedding the string into.
URL Encode / Decode — escape for URLs instead of JSON.
Base64 Encode / Decode — for binary embedding.
JSON Viewer — inspect the document with the embedded string.

Escaping in Layered Systems

Most real-world JSON-string-escaping problems arise not from a single layer but from the interaction between multiple layers of encoding. A JSON value embedded in a shell script needs both shell escaping and JSON escaping. A JSON value in an HTML email needs HTML escaping plus JSON escaping. A JSON value in a SQL string literal needs SQL escaping on top. Each layer has its own rules, and getting the order wrong produces subtle bugs that survive code review.

The discipline that prevents these bugs is to escape at each boundary independently and keep track of which escaping has been applied. A value that has been JSON-escaped should not be JSON-escaped again. A value that has been HTML-escaped should not be HTML-escaped again. The double-escape is the most common bug, and it produces output where every backslash has become a double backslash and every quote has become an escaped backslash plus an escaped quote — readable to humans but unparseable to consumers.

The order of escaping matters as much as escaping itself. When embedding JSON in HTML, you typically JSON-escape first to produce a valid JSON string, then HTML-escape the result so it can sit safely in an HTML attribute or element. When embedding JSON in a shell script, you JSON-escape first then shell-quote the resulting string. When embedding JSON in SQL, you JSON-escape first then SQL-escape. The pattern is the same: escape for the inner format first, then for each outer wrapping format in turn.

The temptation to write your own escape functions is worth resisting. Every language has well-tested standard library or third-party functions for JSON escaping, HTML escaping, shell quoting, and SQL parameter binding. Use those. They handle Unicode correctly, surrogate pairs correctly, control characters correctly. Hand-rolled escape code looks easy and almost always has subtle bugs for edge cases the author did not test. The library version takes one line; the hand-rolled version takes twenty and has a security flaw waiting to be discovered. Use libraries — every time, without exception.

Production Patterns for JSON String Escape

Escaping is mechanical but production code has subtleties:

Escape Once, Not Twice

A common bug: escape a string, then accidentally pass it through another JSON encoder. You end up with \\n where you expected \n. Audit your serialization pipeline — strings should be escaped at exactly one boundary.

Be Careful with Unicode Escapes

\u0041is "A". Most parsers handle this transparently. But surrogate pairs (emojis, some CJK characters) need \uD83D\uDE00 — TWO escapes for one character. The generator handles this; if you hand-edit, watch for splitting surrogate pairs.

Don't Escape Inside Code Blocks

When embedding JSON in another format (Markdown, HTML, shell scripts), the outer format may need its own escaping. Don't escape JSON twice — escape once for JSON, once for the outer format, and apply them in the right order.

When to Use a Different Approach

Manual escape is for edge cases — most workflows have better options:

For language code generation, use JSON to TypeScript — escapes are baked in; no manual handling needed.
For copy-paste into code, use a real JSON-aware editor that pastes as a properly-escaped string literal.
For validation, use JSON Formatter with the validate option — confirms escapes are correct.

Common Mistakes to Avoid

Escaping a forward slash unnecessarily. JSON allows / as \/but it's not required. Some encoders emit \/; both forms parse identically. The double-escape just adds noise.
Escaping a control character as text. Newline must be \n, not literal \ followed by "n". Confusing these is a classic source of malformed JSON.
Round-tripping through different serializers. Different libraries make different choices about which characters to escape. A round-trip (parse, re-serialize) can produce a textually different but semantically equivalent string.
Embedding raw HTML in JSON for the browser. If the JSON is interpolated into a<script> tag, the closing</script> in a JSON string can break out of the tag. Escape < as \u003c for safety.
Trusting hand-written escape code. The edge cases (surrogate pairs, control chars, Unicode line/paragraph separators) trip up nearly every home-grown implementation. Use a library.

Real-World Use Cases

Embedding JSON in shell scripts. curl -d "..." needs the body escaped for shell quoting AND for JSON.
Generating fixture files for tests. Often easier to escape a JSON literal once and embed as a string than maintain a separate file.
SQL-injection-safe JSON storage. Modern databases store JSON natively; if you must embed JSON in a SQL string literal, escape both layers correctly.
Building error messages. Including a JSON value in a user-facing error string requires escape so the message itself parses cleanly.

Polishing the Generator's Output

String escaping is one of those programming topics where the underlying rules are simple but the edge cases are numerous. Whatever your specific use case, treat the generated output as a draft that deserves a careful read-through. Generators are excellent at producing the mechanical structure of an artifact and not at the editorial decisions that make the difference between something a colleague will tolerate and something a colleague will appreciate. Read every section of the output the way you would read a piece of writing you were proofreading for a friend. Look for inconsistent naming, missed opportunities to consolidate similar items, and places where the structure is mechanically correct but conceptually awkward. The five minutes spent on this review are the difference between an artifact that pays back over months and one that needs a second pass before it can be used. The generator handles the heavy lifting; you handle the polish that turns a draft into a deliverable. This division of labor is what makes generated code worthwhile in the first place. Without that final pass of human editorial judgment, the generator's output is merely fast rather than valuable, and the value matters more than the speed in nearly every real production setting.

The same logic applies to documentation, comments, and inline context that your generator output rarely supplies. A generated artifact has structure but no narrative; the narrative is what makes the thing useful to the next person who reads it. Add the few sentences of context that explain why a particular choice was made, what the surrounding system expects, and what the next person should look out for. These small editorial gestures cost almost nothing in the moment and pay back many times over when someone is trying to understand what you produced months later. Treat generation as the first ten percent of the work and these editorial passes as the remaining ninety percent that turns mechanical output into something a colleague will reach for again and again. Build the habit early and the gap between your generated artifacts and hand-written ones gets very small over time, which is the real prize.

Wrapping Up

Escaping JSON strings is a five-second job once you have the right tool. PDFFlare's JSON Escape tool does it bidirectionally with no signup, no upload, no quirks.