How to Remove Special Characters from a String in JavaScript
Sanitizing strings by removing special characters is a common requirement for creating URL-friendly slugs, safe filenames, or simply cleaning up user input. The most powerful and efficient way to accomplish this is with the String.prototype.replace() method using a regular expression.
This guide will teach you the two main approaches for this task: the "allowlist" approach (specifying which characters to keep) and the "denylist" approach (specifying which characters to remove). For most use cases, the allowlist method is more robust.
Method 1 (Recommended): The "Allowlist" Approach
This is the most common and generally safest method. You define a set of characters that you want to keep, and the regular expression removes everything else. This is ideal for ensuring a string only contains alphanumeric characters, spaces, or other "safe" characters.
Problem: you have a string with a mix of letters, numbers, and symbols, and you want to remove everything that isn't a letter, a number, or a space.
// Problem: How to strip all the symbols from this string?
let messyString = 'He!!o, W@rld! 123?';
Solution: use a negated character set ([^...]) in your regular expression.
let messyString = 'He!!o, W@rld! 123?';
// This regex matches any character that is NOT a-z, A-Z, 0-9, or a space.
let sanitizedString = messyString.replace(/[^a-zA-Z0-9 ]/g, '');
console.log(sanitizedString);
Output:
Heo Wrld 123
This is the recommended best practice for sanitizing a string to a known-safe set of characters.
How the Allowlist Regex Works
Let's break down the pattern /[^a-zA-Z0-9 ]/g:
/ ... /g: The forward slashes denote a regular expression, and thegis the global flag, which is crucial for replacing all occurrences, not just the first.[ ... ]: This defines a character set. It will match any single character inside the brackets.^: When the caret^is the first character inside a character set, it negates the set. It means "match any character that is not in this set."a-zA-Z: This is a range that matches any lowercase letter fromatozand any uppercase letter fromAtoZ.0-9: This is a range that matches any digit.
So, the regex reads: "Find all characters that are not a letter, not a digit, and not a space, and replace them with an empty string ('')."
A Shorter Version with \w
You can use the \w special character as a shortcut for a-zA-Z0-9_ (alphanumeric characters plus the underscore).
let str = 'He!!o_W@rld! 123?';
// This will keep letters, numbers, spaces, AND underscores.
let sanitized = str.replace(/[^\w ]/g, '');
console.log(sanitized);
Output:
Heo_Wrld 123
Method 2: The "Denylist" Approach
An alternative is to explicitly list all the special characters you want to remove. This can be useful if you have a very specific and limited set of characters to strip.
Problem: you want to remove only periods, commas, and exclamation marks from a string.
Solution: create a character set containing only the characters you want to remove.
let str = 'Hello, World.! This is a test.';
// This regex matches only the characters ',', '.', or '!'.
let sanitized = str.replace(/[.,!]/g, '');
console.log(sanitized);
Output:
Hello World This is a test
This method is less robust for general sanitization because it's easy to miss a character, but it's perfect when you have a precise list of characters to remove.
Practical Example: Creating a URL Slug
This is a classic use case. A slug is a URL-friendly version of a string, typically in lowercase with hyphens instead of spaces and all special characters removed.
function createSlug(text) {
return text
.toLowerCase()
// 1. Keep only letters, numbers, spaces, and hyphens.
.replace(/[^a-z0-9 -]/g, '')
// 2. Replace one or more spaces with a single hyphen.
.replace(/\s+/g, '-')
// 3. Replace one or more hyphens with a single hyphen.
.replace(/-+/g, '-');
}
// Example Usage:
let postTitle = 'My First Blog Post!! (Part 1)';
let slug = createSlug(postTitle);
console.log(slug);
Output:
my-first-blog-post-part-1
This multi-step replace() chain is a powerful and common pattern for sanitizing and formatting strings.
Conclusion
Removing special characters from a string is a task perfectly suited for regular expressions.
- The recommended best practice is the "allowlist" approach using a negated character set:
string.replace(/[^a-zA-Z0-9 ]/g, ''). This is the safest way to ensure your final string contains only the characters you explicitly permit. - The "denylist" approach (
string.replace(/[!@#$]/g, '')) is useful when you have a small, specific set of characters to remove. - Always use the global (
g) flag withreplace()to ensure you remove all occurrences of the special characters, not just the first one.