RegExp.escape()
Baseline 2025Newly available
Since May 2025, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
TheRegExp.escape() static methodescapes any potential regex syntax characters in a string, and returns a new string that can be safely used as aliteral pattern for theRegExp() constructor.
When dynamically creating aRegExp with user-provided content, consider using this function to sanitize the input (unless the input is actually intended to contain regex syntax). In addition, don't try to re-implement its functionality by, for example, usingString.prototype.replaceAll() to insert a\ before all syntax characters.RegExp.escape() is designed to use escape sequences that work in many more edge cases/contexts than hand-crafted code is likely to achieve.
Syntax
RegExp.escape(string)Parameters
stringThe string to escape.
Return value
A new string that can be safely used as a literal pattern for theRegExp() constructor. Namely, the following things in the input string are replaced:
- The first character of the string, if it's either a decimal digit (0–9) or ASCII letter (a–z, A–Z), is escaped using the
\xcharacter escape syntax. For example,RegExp.escape("foo")returns"\\x66oo"(here and after, the two backslashes in a string literal denote a single backslash character). This step ensures that if this escaped string is embedded into a bigger pattern where it's immediately preceded by\1,\x0,\u000, etc., the leading character doesn't get interpreted as part of the escape sequence. - Regexsyntax characters, including
^,$,\,.,*,+,?,(,),[,],{,}, and|, as well as the/delimiter, are escaped by inserting a\character before them. For example,RegExp.escape("foo.bar")returns"\\x66oo\\.bar", andRegExp.escape("(foo)")returns"\\(foo\\)". - Other punctuators, including
,,-,=,<,>,#,&,!,%,:,;,@,~,',`, and", are escaped using the\xsyntax. For example,RegExp.escape("foo-bar")returns"\\x66oo\\x2dbar". These characters cannot be escaped by prefixing with\because, for example,/foo\-bar/uis a syntax error. - The characters with their owncharacter escape sequences:
\f(U+000C FORM FEED),\n(U+000A LINE FEED),\r(U+000D CARRIAGE RETURN),\t(U+0009 CHARACTER TABULATION), and\v(U+000B LINE TABULATION), are replaced with their escape sequences. For example,RegExp.escape("foo\nbar")returns"\\x66oo\\nbar". - The space character is escaped as
"\\x20". - Other non-ASCIIline break and white space characters are replaced with one or two
\uXXXXescape sequences representing their UTF-16 code units. For example,RegExp.escape("foo\u2028bar")returns"\\x66oo\\u2028bar". - Lone surrogates are replaced with their
\uXXXXescape sequences. For example,RegExp.escape("foo\uD800bar")returns"\\x66oo\\ud800bar".
Exceptions
TypeErrorThrown if
stringis not a string.
Examples
Using RegExp.escape()
The following examples demonstrate various inputs and outputs for theRegExp.escape() method.
RegExp.escape("Buy it. use it. break it. fix it.");// "\\x42uy\\x20it\\.\\x20use\\x20it\\.\\x20break\\x20it\\.\\x20fix\\x20it\\."RegExp.escape("foo.bar"); // "\\x66oo\\.bar"RegExp.escape("foo-bar"); // "\\x66oo\\x2dbar"RegExp.escape("foo\nbar"); // "\\x66oo\\nbar"RegExp.escape("foo\uD800bar"); // "\\x66oo\\ud800bar"RegExp.escape("foo\u2028bar"); // "\\x66oo\\u2028bar"Using RegExp.escape() with the RegExp constructor
The primary use case ofRegExp.escape() is when you want to embed a string into a bigger regex pattern, and you want to ensure that the string is treated as a literal pattern, not as a regex syntax. Consider the following naïve example that replaces URLs:
function removeDomain(text, domain) { return text.replace(new RegExp(`https?://${domain}(?=/)`, "g"), "");}const input = "Consider using [RegExp.escape()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/escape) to escape special characters in a string.";const domain = "developer.mozilla.org";console.log(removeDomain(input, domain));// Consider using [RegExp.escape()](/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/escape) to escape special characters in a string.Inserting thedomain above results in the regular expression literalhttps?://developer.mozilla.org(?=/), where the "." character is a regexwildcard character. This means the string will match the string with any character in place of the ".", such asdeveloper-mozilla-org. Therefore, it would incorrectly also change the following text:
const input = "This is not an MDN link: https://developer-mozilla.org/, be careful!";const domain = "developer.mozilla.org";console.log(removeDomain(input, domain));// This is not an MDN link: /, be careful!To fix this, we can useRegExp.escape() to ensure that any user input is treated as a literal pattern:
function removeDomain(text, domain) { return text.replace( new RegExp(`https?://${RegExp.escape(domain)}(?=/)`, "g"), "", );}Now this function will do exactly what we intend to, and will not transformdeveloper-mozilla.org URLs.
Specifications
| Specification |
|---|
| ECMAScript® 2026 Language Specification # sec-regexp.escape |