How-to May 7, 2026

How to escape special characters in regex

A regex full of dots and parens means nothing useful until you decide which are literal and which are operators.

The short answer

Prefix a metacharacter with a backslash to make it literal:

\.     literal dot
\(     literal opening paren
\$     literal dollar sign
\\     literal backslash

The 14 characters you need to escape

These are regex metacharacters — they have special meaning, and need escaping if you want a literal match:

. * + ? ^ $ ( ) [ ] { } | \

Memorize this set. Everywhere else (letters, digits, spaces, punctuation like !@#%&_) is already literal.

Inside character classes — different rules

Inside [...], most metacharacters lose their power. You don't need to escape:

[.]      literal dot — no escape needed inside []
[*+]     literal star and plus
[(){}]   literal parens and braces
[|]      literal pipe

What you DO still need to escape inside [...]:

\\ — backslash
] — closing bracket (unless it's the first character)
^ — only if it's the first character (otherwise it's a negation marker)
- — only if it's in the middle of a range (or escape it; or put it first/last)

Escaping user input — the safe way

Most languages have a regex-escape helper for sanitizing user-provided search strings:

Python

import re
pattern = re.escape(user_input)
re.search(pattern, text)

JavaScript — no native helper

JavaScript doesn't have a built-in RegExp.escape (a proposal exists). Use a one-liner:

function escapeRegex(s) {
  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
}

const pattern = new RegExp(escapeRegex(userInput));

Java

String pattern = Pattern.quote(userInput);
Pattern.compile(pattern);

Ruby

pattern = Regexp.escape(user_input)

Go

pattern := regexp.QuoteMeta(userInput)

The classic bug: forgetting to escape

This pattern looks like it matches a US dollar amount:

$\d+.\d{2}

But three things are wrong:

$ means end-of-string, not a literal dollar — it'll fail to match anything
. means any character, not literal dot — accepts 1x99 as a match
No anchor or word boundary means it'll match inside larger numbers

Fixed:

\$\d+\.\d{2}

Escaping in string literals — double backslashes

When writing regex in a programming language's string literal, you usually need to double the backslashes:

// JavaScript regex literal — single backslash
/\d+/

// JavaScript string passed to RegExp() — double backslash
new RegExp("\\d+")

// Python raw string r"..." — single backslash
re.compile(r"\d+")

// Python regular string — double backslash
re.compile("\\d+")

Always prefer raw strings or regex literals when your language supports them. They're easier to read and harder to get wrong.

What does NOT need escaping

People often over-escape. These don't need backslashes:

/ — forward slash (except in JS regex literals where it's the delimiter)
" — double quote
' — single quote
Letters and digits — always literal
!@#&_;:<> and most punctuation

The takeaway

Remember the 14 metacharacters: . * + ? ^ $ ( ) [ ] { } | \. Escape these when you want them literal.

For user input, always use your language's regex-escape helper — don't construct patterns by string concatenation without it. Otherwise a user search for $5.00 will turn into an invalid pattern and crash your code.