Character Escaper — Escape HTML, JSON, SQL & More

Character Escaper — Escape HTML, JSON, SQL & More | Tinker

Input text

Escaped (click to copy)

Unescaped (click to copy)

Why Character Escaping Matters

When user-supplied text is embedded into HTML, SQL queries, JSON payloads, or code strings without escaping, special characters can break the surrounding syntax — or worse, be interpreted as executable instructions. This is the root cause of some of the most common and severe security vulnerabilities on the web.

What can go wrong without escaping?

XSS (Cross-Site Scripting) — A <script> tag in unescaped HTML input can steal cookies or hijack sessions.
SQL Injection — An unescaped single quote in a SQL query can allow an attacker to read or destroy your database.
Broken JSON — A literal quote or backslash in a JSON string value causes a parse error in every consumer of that API.
Regex catastrophic backtracking — Unescaped metacharacters in a dynamically-built pattern can cause ReDoS attacks.

When to use each mode

Mode	Use when	Characters escaped
HTML	Inserting text into HTML attributes or element content	`& < > " '`
JSON String	Embedding a value inside a JSON string literal	`" \ /` and control chars
JavaScript	Injecting a value into a JS string in a template	`\ ' " \n \r \t`
SQL	Building SQL queries with string parameters (prefer parameterised queries)	`' \`
CSV	Outputting fields that contain commas, quotes, or newlines	Wraps field in quotes, doubles internal quotes
Regex	Using a dynamic string as a literal pattern in a RegExp constructor	`. * + ? ^ $ { } ( ) [ ] \ \|`

Common Escape Sequences at a Glance

Character	HTML	JSON / JS	SQL
`&`	`&`	—	—
`<`	`<`	—	—
`>`	`>`	—	—
`"`	`"`	`\"`	—
`'`	`'`	`\'`	`''`
`\`	—	`\\`	`\\`
newline	—	`\n`	—
tab	—	`\t`	—

The golden rule

Always escape at the point of output, not at the point of input. Escaping on input corrupts the stored data and means you need to know which format it was escaped for later. Store raw text, escape when rendering.