Why not use a simple replace(/[.*+?^${}()|[\]\\]/g, "\\$&") helper?

The classic helper covers many syntax characters but misses edge cases handled by RegExp.escape(), including leading alphanumeric characters, punctuation that needs hex escaping, spaces, line breaks, and some Unicode cases.

Does escaping prevent ReDoS?

Escaping literal user text prevents regex injection when building dynamic patterns. It does not prove an entire hand-written regex is safe from catastrophic backtracking or ReDoS.

RegExp Escape Tool

Escape literal text for JavaScript RegExp patterns, generate safe constructor snippets, preview matches, and avoid dynamic-regex injection mistakes. The output follows the RegExp.escape() behavior used by modern JavaScript runtimes.

Reviewed June 1, 2026. Privacy model: tool input is processed in your browser and is not uploaded to BytePane servers.

Literal text to escape

price: $19.99 (sale)

RegExp flags

Preview uses global matching even if g is off.

Match preview text

Old price: $29.99. Current price: $19.99 (sale).

Escaped output

\x70rice\x3A\x20\$19\.99\x20\(sale\)

Constructor snippet

const pattern = new RegExp("\\x70rice\\x3A\\x20\\$19\\.99\\x20\\(sale\\)", "g");

Regex literal snippet

/\x70rice\x3A\x20\$19\.99\x20\(sale\)/g

Open in Regex Tester

Match preview

0.03 ms

Match 1 at index 27

price: $19.99 (sale)

Why the first character may become \\x66

RegExp.escape() escapes a leading ASCII letter or digit with a hex escape so it cannot accidentally merge with a preceding escape sequence in a larger pattern.

Why hyphens and commas become hex

Some punctuation is not safely escaped with a simple backslash in every regex context. Hex escapes keep literal text valid inside dynamic JavaScript RegExp sources.

Escaping is not full regex safety

Escaping protects literal user text. Review the surrounding regex for nested quantifiers, broad wildcards, and untrusted server-side execution paths that can create ReDoS risk.

Source-backed workflow

MDN documents RegExp.escape() as the JavaScript-native way to escape literal text for dynamic RegExp construction. OWASP treats Regular Expression Denial of Service as a separate risk class, so escaping literal input should be paired with pattern review when the final regex runs on untrusted or high-volume input.

MDN RegExp.escape()OWASP ReDoS JavaScript regex guide

Frequently Asked Questions

What does RegExp.escape() do?

RegExp.escape() converts literal text into a pattern source that can be inserted into new RegExp() without treating punctuation, brackets, slashes, spaces, or leading alphanumeric text as regex syntax.

When should I escape text for a regex?

Escape text when the user supplies a literal search term, file path, product name, URL fragment, package name, or other text that should be matched exactly inside a dynamic RegExp.

Does escaping user text prevent ReDoS?

It prevents regex injection for that literal text. It does not prove a larger hand-written pattern is ReDoS-safe, so still review nested quantifiers and broad wildcards.

Is this the same as the common replace helper?

No. The common replace helper escapes many regex metacharacters, but RegExp.escape() also handles leading alphanumeric characters, punctuation that needs hex escaping, whitespace, line breaks, and Unicode edge cases.

Does this upload my text?

No. Escaping, snippets, and match previews run in your browser tab.