< // LAB_DASHBOARD

Encoder Lab

PROCESS DATA STRINGS FOR WEB COMPATIBILITY
URL ENCODE
--
URL DECODE
--
HTML ENTITY
--
PLAINTEXT LENGTH
0

The Purpose of URL Encoding and Percent-Encoding

URLs are designed to carry data across the web, but they are limited to a specific subset of characters defined by the RFC 3986 standard. Characters within a URL are split into reserved (like /, ?, &, =, and :, which have special syntax meanings) and unreserved characters (alphanumeric characters, hyphen, period, underscore, and tilde).

When you need to pass data containing reserved characters (such as spaces, symbols, or non-ASCII characters) inside a URL query parameter, you must use percent-encoding. This process replaces unsafe characters with a percent sign (%) followed by the two-digit hexadecimal representation of their ASCII byte values (for example, a space becomes %20, and an ampersand becomes %26).

HTML Entity Escaping and XSS Prevention

When web applications render user-supplied input directly inside HTML documents, they run the risk of introducing syntax vulnerabilities. For example, if a user submits a comment containing HTML or JavaScript code, the browser might interpret and execute that script. This is known as a Cross-Site Scripting (XSS) attack.

To prevent XSS, developers use HTML entity escaping. This process converts reserved markup characters into their corresponding safe HTML entities. For example, the less-than symbol (<) is replaced with &lt;, the greater-than symbol (>) is replaced with &gt;, and the ampersand (&) is replaced with &amp;. When the browser encounters these entities, it renders them as text characters rather than parsing them as executable code elements.

Practical Differences Between URL and HTML Encoding

While both techniques protect data structures, they serve entirely different layers of the web application stack:

ENCODER LAB FAQ

Why are spaces converted to %20 or + in URLs?

URLs cannot contain literal space characters. In query parameters, spaces are encoded as either `%20` or `+` (specifically in form submissions encoded as application/x-www-form-urlencoded). Both formats represent spaces but follow slightly different RFC definitions depending on the context of the URL parser.

What is Cross-Site Scripting (XSS) and how does HTML escaping prevent it?

XSS is a security vulnerability where an attacker injects malicious client-side script code into a trusted website. HTML entity escaping converts dynamic values like `