What is double escaping and how do I fix it?

Double escaping happens when text is escaped twice, producing sequences like & instead of & or %2520 instead of %20. This occurs when code escapes text that was already escaped. To fix it, unescape the text completely, then re-escape it exactly once at the correct boundary. The key principle is to escape at the point of output, not at the point of input.

How do escaping failures cause security vulnerabilities?

Failing to escape user input leads to injection attacks. Unescaped HTML allows cross-site scripting (XSS) where attackers inject malicious scripts. Unescaped SQL allows SQL injection where attackers modify database queries. Unescaped shell arguments allow command injection. The defense is to always escape output for its target context using the language's built-in escaping functions.

Escape & Unescape Tool - Free Online Text Escaper

Q: Why does text need to be escaped?

Text needs escaping when it crosses context boundaries. A double quote inside a JSON string would end the string prematurely. An ampersand in HTML would start an entity reference. A question mark in a URL would start the query string. Escaping replaces these special characters with safe sequences so that the text is interpreted as data, not as control characters in the target format.

Q: What is the difference between URL encoding and HTML escaping?

URL encoding (percent-encoding) replaces reserved URL characters with percent sign followed by hex digits, such as %20 for space and %26 for ampersand. HTML escaping replaces characters that have special meaning in HTML with named or numeric entity references, such as & for ampersand and < for less-than. Each operates in its own context and the escape sequences are not interchangeable.

Q: What are Unicode escape sequences?

Unicode escape sequences represent characters using their Unicode code point in the format \uXXXX where XXXX is the hexadecimal code point. For example, \u00E9 represents the character e with acute accent. They are used in programming languages and data formats to include non-ASCII characters in ASCII-only contexts, ensuring compatibility across systems with different character encodings.

Escape or unescape text for JSON, URL, HTML, backslash, and Unicode formats. See character counts before and after conversion.

How to Use the Escape & Unescape Tool

Select a format from the dropdown, paste your text into the input area, and click Escape or Unescape. The tool processes your text instantly and displays the result in the output area along with the character count before and after conversion. Use the Copy button to copy the output to your clipboard. This tool is indispensable for developers who need to prepare strings for inclusion in JSON payloads, URLs, HTML documents, or source code.

Each format handles different special characters according to its own specification. JSON escaping handles quotes, backslashes, and control characters. URL encoding handles reserved URI characters. HTML escaping handles characters that would be interpreted as markup. Backslash escaping handles common programming escape sequences. Unicode escaping converts non-ASCII characters to their code point representations.

Why Escaping Exists

Escaping solves a fundamental problem in computing: how to include data that contains characters with special meaning in the surrounding context. When you embed user input in an SQL query, a quote character could terminate the string and alter the query's meaning. When you display user text in an HTML page, angle brackets could inject new HTML elements. Escaping converts these dangerous characters into safe representations that are treated as literal text rather than as structural syntax.

The principle of escaping at the boundary is critical. Text should be stored in its raw, unescaped form and only escaped when it crosses a context boundary: when inserted into HTML, when included in a URL, when embedded in JSON, or when passed to a shell command. Escaping at input time leads to double-escaping bugs because the text passes through multiple boundaries, each adding another layer of escaping that must be stripped.

Escaping Contexts and Security

Different contexts require different escaping strategies, and using the wrong one leaves vulnerabilities open. HTML context requires entity encoding to prevent cross-site scripting attacks, where an attacker injects script tags through unescaped user input. SQL context requires parameterized queries or proper quoting to prevent SQL injection, where an attacker modifies database queries through unescaped input. URL context requires percent-encoding to prevent parameter injection. Shell context requires proper quoting or escaping to prevent command injection. Each of these attack categories has caused countless real-world security breaches.

Double-Escaping Problems

Double escaping is one of the most common text-handling bugs. It happens when text is escaped twice, producing garbled output like & instead of & or %2520 instead of %20. This occurs when code escapes text that was already escaped by a different layer, such as a template engine that auto-escapes HTML receiving input that was pre-escaped by application code. Diagnosing double escaping requires tracing the text through every processing step to find where the extra escaping occurs.

Language-Specific Escaping Functions

Every programming language provides built-in functions for escaping text in common contexts. Ruby offers CGI.escapeHTML, CGI.escape for URLs, and JSON.generate for JSON strings. JavaScript provides encodeURIComponent for URLs and JSON.stringify for JSON. Python has html.escape, urllib.parse.quote, and json.dumps. Using these built-in functions instead of writing custom escaping logic is essential because they handle edge cases and conform to specifications that manual implementations often miss.

Frequently Asked Questions

Why does text need to be escaped?

To prevent special characters from being interpreted as control syntax in the target format. Escaping converts them to safe representations treated as literal data.

What is the difference between URL encoding and HTML escaping?

URL encoding uses percent-hex sequences like %20 for spaces. HTML escaping uses entity references like & for ampersands. Each is specific to its context.

What is double escaping?

When text is escaped twice, producing sequences like &amp; instead of &. Fix by unescaping completely, then re-escaping once at the correct boundary.

How do escaping failures cause vulnerabilities?

Unescaped HTML enables XSS. Unescaped SQL enables injection. Unescaped shell arguments enable command injection. Always escape output for its target context.

What are Unicode escape sequences?

Representations of characters using their hex code point: \u00E9 for accented e. Used to include non-ASCII characters in ASCII-only contexts.

Escape & Unescape Tool

Embed This Calculator