How to use the Regex Escape
Escape a string for regex use in three steps:
1
Enter the string you want to match literally
Type or paste the exact string you want to find. Click a quick sample to see how common patterns like file paths and URLs are escaped.
2
Choose a regex flavor and options
Select the regex engine your code uses (JavaScript, PCRE/PHP, Python re, or RE2/Go). Toggle 'Wrap in /slashes/' to add JS regex delimiters. Enable 'Show analysis' to see which characters needed escaping and why.
3
Copy the escaped pattern
Copy the escaped regex pattern and use it in your code's RegExp constructor or regex literal.
When to use this tool
Use this tool when you need to use a literal string as a regex pattern:
- →Escaping a user-provided search string before inserting it into a RegExp constructor to prevent regex injection
- →Escaping file paths containing backslashes and dots so they match literally in a regex pattern
- →Escaping URLs with dots, slashes, and question marks for use in URL matching regular expressions
- →Escaping IP addresses and version numbers that contain dots which would otherwise match any character
- →Preparing a domain name or DNS hostname for use in a regex where dots must match literally
- →Escaping price strings like $19.99 where $ would match end-of-string and . would match any character
Frequently asked questions
Q:Which characters need to be escaped in a regex pattern?
The characters with special meaning in most regex engines that must be escaped with a backslash for literal matching are: . (any char), * (zero or more), + (one or more), ? (zero or one / lazy), ^ (start of string / negation), $ (end of string), { } (quantifier range), ( ) (capture group), | (alternation), [ ] (character class), \ (escape char itself). In JavaScript regex literals, the forward slash / must also be escaped. In verbose/extended mode (/x flag or (?x)), # and whitespace also have special meaning. In character classes ([ ]), the hyphen - must be escaped or placed at the start/end.
Q:Why is regex escaping important for user input?
If you insert user-supplied text directly into a regex pattern without escaping, a malicious or accidental input can break your regex or cause catastrophic backtracking (ReDoS — Regular Expression Denial of Service). For example, if a user searches for (a+ )+ on a long non-matching string, it can cause exponential backtracking that freezes the JavaScript thread for seconds or minutes. Escaping user input before inserting it into a RegExp ensures the string is matched literally, the regex remains predictable, and there is no injection risk. Always escape in JavaScript: new RegExp(escapedRegex(userInput)).
Q:What is RegExp.escape() and when will it be available?
RegExp.escape() is a TC39 proposal for a native JavaScript method that escapes a string for literal use in a regex — exactly what this tool does manually. As of 2024, it is at Stage 3 of the TC39 proposal process, meaning it has a complete specification and is being implemented in browsers. It is not yet available in all browsers as a stable API. Until it is, you need a polyfill or this manual approach: str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'). This tool's output matches what RegExp.escape() will produce for the JavaScript flavor.
Q:What is the difference between JavaScript and Python regex escaping?
JavaScript and Python re.escape() escape the same core metacharacters but differ in some edge cases. Python's re.escape() (since Python 3.7) escapes only characters that have special meaning in Python's regex engine, deliberately not escaping characters like : = ! which are ASCII punctuation but have no special regex meaning. Earlier Python versions (before 3.7) escaped all non-alphanumeric characters, which was overly conservative. JavaScript regex escaping typically escapes the same characters. The practical difference is minimal for most strings, but Python 3.7+ produces slightly cleaner output for strings with punctuation.
Q:What does the character analysis table show?
The analysis table appears when you enable 'Show analysis' and lists every unique regex metacharacter found in your input. For each character it shows: the raw character, its escaped form (with backslash prefix), the meaning it would have if left unescaped in a regex pattern, and how many times it appears in your input. This helps you understand which characters are driving the escaping, learn regex metacharacter meanings, and verify that the tool correctly identified all special characters. If the table is empty, your input contains no special regex characters and can be used literally without escaping.
Q:How do I use the escaped pattern in JavaScript code?
Copy the escaped pattern and use it in one of two ways: (1) RegExp constructor: new RegExp(escapedString) or new RegExp(escapedString, 'gi') for flags. (2) Regex literal: /escapedString/ — but only if the escaped string doesn't contain forward slashes (which are also escaped in JS extended mode). The constructor approach is more flexible for dynamic patterns. For example, to find a literal URL in text: const escaped = escapeRegex('https://example.com/path?q=1'); const regex = new RegExp(escaped, 'g'); text.match(regex). This matches the URL exactly, with all . and ? characters treated literally.