Skip to content

JSON To CSV

Convert a JSON object array into RFC 4180-style CSV locally with default spreadsheet formula protection.

Privacy: your files never leave your device. All processing happens locally in your browser.

How to use

  1. 1.Paste a non-empty JSON array whose every row is an object and confirm it stays within the visible limits.
  2. 2.Convert the records, then review column order, nested JSON cells, quoting, and any reported formula-risk prefixes.
  3. 3.Download converted.csv and choose UTF-8 comma-separated import settings in the receiving application.

About JSON To CSV

JSON to CSV Converter transforms a non-empty JSON array of objects into a downloadable comma-separated file in the current browser. Paste records such as [{"name":"Alice","age":30},{"name":"Bob","age":31}], convert them, inspect the exact CSV text, and download converted.csv. The JSON input, parsed records, CSV output, and download remain local to the tab and are not uploaded to Lizely.

The accepted top-level shape is deliberately narrow: an array containing one or more JSON objects. A top-level object, primitive, empty array, null row, array row, or primitive row is rejected with a specific message. Columns are discovered by scanning parsed records from first to last and adding each field the first time it appears. Later records can introduce additional columns. Missing fields and explicit null values become empty CSV cells. False, true, zero, and other JSON primitive values retain their ordinary text forms.

Nested objects and arrays are not flattened into dotted columns. They are serialized as compact JSON inside one cell. CSV quoting then protects the JSON double quotes and commas. This avoids inventing a flattening convention that could collide with real field names or lose array structure. It also means a consumer must parse that cell as JSON if the nested structure is needed again. Object property order inside the compact nested text follows the parsed JavaScript object's enumeration behavior.

Output follows the common RFC 4180 field rules. A comma separates fields, and CRLF separates records. Fields containing a comma, double quote, carriage return, or line feed are enclosed in double quotes. Each double quote inside a quoted field is doubled. Empty values remain empty fields. The converter does not trim leading or trailing spaces, add a UTF-8 BOM, infer dates, localize numbers, or change delimiters based on the browser locale. These choices keep the output deterministic and visible.

Spreadsheet formula injection is handled by an always-on safety policy. Field names and JSON string values that begin with =, +, -, @, tab, carriage return, or a formula trigger after ECMAScript whitespace, including a leading BOM or no-break space, receive a leading apostrophe before CSV escaping. Spreadsheet programs commonly treat that apostrophe as a request for text. This mitigation intentionally changes those textual values, and the result summary reports how many cells were prefixed. JSON numeric values are typed data rather than attacker-controlled formula strings, so a JSON number such as -42 remains -42.

Formula protection reduces a common risk but is not a universal security guarantee for every spreadsheet program, import setting, locale, or downstream transformation. A later application might remove the apostrophe, reinterpret text, or apply different trigger rules. Review untrusted exports before opening them in software that can execute formulas, commands, links, or external data connections. This tool does not provide a switch to disable the default protection because its ordinary download path should be safe by default.

Limits are explicit and never implemented as silent caps. Input may contain up to 1,000,000 JavaScript characters. The array may contain at most 10,000 rows, the discovered schema at most 200 columns, and the generated CSV at most 5,000,000 characters. Crossing any boundary returns an error and no shortened CSV. The text area continues to show over-limit input and marks it in the counter rather than cutting characters during typing.

Editing the JSON clears the previous CSV, error, and download URL. Converting again revokes the older download before creating a new Blob URL, conversion errors leave no stale success visible, and leaving the page releases the remaining URL. The downloadable MIME type is text/csv with UTF-8 charset. The preview contains the same complete string placed in the Blob, so quoting, formula prefixes, column order, and nested JSON can be checked before saving.

Use this converter for controlled data exchange, developer fixtures, small exports, and spreadsheet preparation. Validate the JSON first when the source may be incomplete, and inspect the receiving application's import options. CSV does not carry data types, nested schemas, character-encoding declarations inside the file, or a universal dialect marker. Keep the original JSON whenever types and structure matter, and use a schema-aware pipeline for production migrations or regulated data.

Methodology & sources

The browser parses a non-empty JSON object array, discovers up to 200 columns in first-encounter order, maps missing and null values to empty fields, and serializes nested arrays or objects as compact JSON. Dangerous string cells and headers receive an always-on leading apostrophe before RFC 4180 escaping. Fields with comma, quote, CR, or LF are double-quoted with internal quotes doubled; records join with CRLF. Explicit input, row, column, and output limits fail without partial CSV, and each successful conversion receives a replaceable local Blob URL.

Frequently asked questions

Which JSON shape is supported?
Only a non-empty top-level array of objects. Primitive rows, array rows, null rows, and other top-level shapes are rejected.
How are columns ordered?
Records are scanned in order, and each field is added when first encountered in the parsed objects.
What happens to nested objects and arrays?
They are serialized as compact JSON in a single CSV cell and then quoted according to CSV rules.
Why do some string cells gain an apostrophe?
Default formula-injection protection prefixes dangerous string values and headers. The change is intentional and its count is shown.
Are the records uploaded?
No. JSON parsing, schema discovery, CSV escaping, preview, and Blob download creation happen in the current browser tab.

Developer Tools guides

View all