ops@toolbox:~$ stringescape --run

String Escape / Unescape

Escape and unescape strings for JSON, HTML, shell single-quoting and regex.

Four escaping problems, one tool

JSON mode turns raw text (newlines, quotes, tabs and all) into a legal JSON string body and back. Use it when embedding a config blob or script into a JSON field: literal newlines become \n, quotes become \". The unescape direction answers "what does this \u00e9-riddled log field actually say?"

HTML mode converts & < > " ' to entities and decodes any entity, named or numeric. Escaping user-controlled text before it hits HTML is the fix for reflected XSS; decoding tells you what an entity-encoded payload in a log is really doing.

Shell mode produces a safely single-quoted string using the classic '\'' dance, inside single quotes nothing expands, and each embedded apostrophe is handled by closing, escaping, reopening. This is the correct way to pass an arbitrary password or JSON blob as a shell argument; double quotes still expand $ and backticks and are not safe for untrusted content.

Regex mode backslash-escapes the fourteen regex metacharacters so a literal string (an IP, a path with dots, a version number) can be dropped into a pattern and match itself, nothing more. Grepping logs for 10.0.4.1 unescaped also matches 10a0b4c1-shaped strings; escaped, it matches only the address.

Order matters

When a value passes through multiple layers (shell → JSON → HTML is common in webhooks) escape for the innermost format first, outermost last, and unescape in reverse. Most "corrupted payload" mysteries are a layer applied twice or in the wrong order.

Related tools

Base64 Encoder / Decoder
Encode and decode Base64 and URL-safe Base64, with full UTF-8 support.
Hex Converter
Convert between text, hexadecimal, decimal and binary, plus number base conversion.
JSON Formatter & Validator
Pretty-print, minify and validate JSON with precise error locations.
URL Encoder / Decoder & Parser
Percent-encode or decode text, and split any URL into its parts.