Regex Escape / Unescape Tool

Building a regex that must match a literal string — a file path, a price like $9.99, a URL — means escaping every character the engine would otherwise treat as special. This tool does it for you in both directions: paste raw text to get an escaped, regex-safe version, or paste an escaped pattern to recover the literal.

Flavor

Input

Output

How to use the Regex Escape / Unescape Tool

Paste the literal text you want to match into the Input box and pick a flavor. Click Escape to insert a backslash before every metacharacter, producing a string you can drop straight into a pattern. The result of escaping Price is $9.99 (limited) can be wrapped in slashes and used as-is — it will match that exact text and nothing else.

To go the other way, paste an escaped pattern and click Unescape; the tool removes the protective backslashes so you can read the underlying literal. Use the Copy button to grab the output. Everything runs in your browser — the text you paste is never uploaded.

The two flavors differ in which characters they treat as special. JavaScript follows the set escaped by the common RegExp.escape shim; PCRE matches PHP's preg_quote(), which also escapes #, -, and a few comparison characters used in extended mode.

Why escaping matters

Regular expression engines reserve a dozen-plus characters for syntax: . * + ? ^ $ ( ) [ ] { } | \ and, depending on context, / and -. A bare dot matches any character, a bare $ anchors to end of line, and parentheses open a capturing group. If your goal is to match those characters literally, each one needs a leading backslash.

This is the single most common source of subtle regex bugs. A pattern like 3.14 looks like it matches the number, but the dot also matches 3x14, 3-14, and 3 14. Searching for a Windows path C:\Users\Bob without escaping the backslashes produces an invalid or wildly different pattern. Whenever a value comes from user input or a config file and is interpolated into a regex, escaping is mandatory — otherwise a stray ( throws a syntax error and a malicious .* can cause catastrophic backtracking.

The safe rule: never concatenate untrusted text into a pattern without escaping it first. Most languages ship a helper — Python's re.escape, PHP's preg_quote, Rust's regex::escape — and JavaScript developers typically use a one-line replacement until the native RegExp.escape proposal lands everywhere.

Common use cases

Search-and-replace over literals. When a find-and-replace feature accepts a user's literal string but runs on a regex engine under the hood, escape the input so dots and parentheses are matched verbatim.
Building dynamic patterns. Interpolating a filename, username, or tag into a larger regex (for example new RegExp('^' + escaped + '$')) without breaking the pattern.
Reading someone else's pattern. Unescape a dense regex to see the plain text it was protecting, which makes a long alternation far easier to audit.
Preventing ReDoS. Escaping user input removes the quantifiers and groups an attacker would need to trigger catastrophic backtracking.

Frequently asked questions

Does escaping change what the string matches?

No. An escaped string matches exactly the original literal text. Escaping only neutralizes characters that would otherwise be interpreted as regex syntax.

Why do JavaScript and PCRE give different results?

Each engine reserves a slightly different character set and supports different extended modes. PCRE escapes a few extra characters such as the hash and hyphen so the result is safe even inside extended (x) mode.

Is it safe to paste sensitive text here?

Yes. All escaping happens locally in your browser with plain string operations. Nothing is sent to a server.

Should I escape the forward slash?

Only if you wrap your pattern in slash delimiters, as in /.../ literals. If you build the regex from a string, the slash needs no escaping.