obfus.link

String Escaper escapes and unescapes strings for eight contexts: JSON, SQL, HTML, regex, shell, URI, CSV, and XML. Chain mode applies multiple escape layers in sequence with step-by-step output, preventing the injection vulnerabilities that occur when developers apply escapes in the wrong order across nested serialization contexts.

Tier 1encoders✓ TDD Verified

String Escaper

Escape strings for JSON, SQL, HTML, regex, shell, URI, CSV, XML

How to use

  1. Choose format and directionPick the target context (JSON, SQL, HTML, regex, shell, URI, CSV, XML) and direction (escape or unescape).
  2. Enable chain mode (optional)Provide an ordered array like [sql, json, uri] to apply multiple escapes in sequence.
  3. Escape or unescapeClick Run or press Ctrl+Enter. Output shows the result plus per-step transformations for chain mode.
Read technical article

MCP / API

Call string_escaper directly from any MCP-compatible agent:

// MCP TypeScript SDK
const result = await client.callTool({
  name: "string_escaper",
  arguments: {
    "text": "...",
    "direction": "escape"
  }
});

// curl
curl -X POST https://obfus.link/mcp \
  -H "Authorization: Bearer <SPT>" \
  -H "Content-Type: application/json" \
  -d '{"method":"tools/call","params":{"name":"string_escaper","arguments":{"text":"...","direction":"escape"}}}'

Related tools

HTML Encoder
Encode and decode HTML entities with context-aware mode
Base64 Codec
Encode, decode, and identify base64 with auto-detection
URL Parser
Parse any URL into components with deep query decoding and security analysis

FAQ

What is chain mode for?

Nested serialization contexts require layered escaping. A SQL query embedded in a JSON API payload embedded in a URL parameter needs SQL → JSON → URI escaping in that order. Wrong order produces injection vulnerabilities. Chain mode applies the escapes correctly and shows every step.

Why do HTML and XML have different escape rules?

HTML allows unescaped apostrophes in attribute values when the attribute is double-quoted. XML strictly requires escaping apostrophes in single-quoted attributes. The tool tracks both rules and applies the correct one based on the format you select.

How does JSON escaping handle special characters?

Backslash, double-quote, and control characters (0x00-0x1F) are escaped per RFC 8259. Forward slash is not escaped by default (it is optional). Unicode characters above U+007F are passed through as-is unless you also chain through ASCII-only escaping.

Can I use this tool via the MCP API?

Yes. The tool is registered on the obfus.link MCP server at https://obfus.link/mcp. Call it from any MCP-compatible agent with a Shared Payment Token. The MCP tool name matches the snake_case slug shown in the integration snippet.