Text escaping and unescaping in javascript

Saved searches

Use saved searches to filter your results more quickly

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

Text Escaping and Unescaping in JavaScript (incl. UTF-8, UTF-16, UTF-32, dec, hex, and more)

jupiter/node-strutil

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Sign In Required

Please sign in to use Codespaces.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio Code

Your codespace will open once ready.

There was a problem preparing your codespace, please try again.

Latest commit

Git stats

Files

Failed to load latest commit information.

README.md

Text Escaping and Unescaping in JavaScript (UTF-8, UTF-16, UTF-32, dec, hex, punycode, mime, base64, and more)

From http://0xcc.net/jsescape/ — adapted for use as a CommonJS module.

Original Copyright (c) 2007 Satoru Takabayashi

Adaptation Copyright (c) 2012 Pieter Raubenheimer pieter@wavana.com

All rights reserved. This is free software with ABSOLUTELY NO WARRANTY. You can redistribute it and/or modify it under the terms of the GNU General Public License version 2.

About

Text Escaping and Unescaping in JavaScript (incl. UTF-8, UTF-16, UTF-32, dec, hex, and more)

Источник

Text Escaping and Unescaping in JavaScript

A collection of utilities for text escaping and unescaping in JavaScript. Try typing «abc» in the first form to see how it works. Any form can be edited.

Plain text	hide all

\uXXXX	hide

\UXXXXXXXX	hide

&#DDDD;	hide

&#xXXXX;	hide

Punycode	hide

\xXX	hide

\OOO	hide

Base64	hide

Quoted-printable	hide

URL	hide

MIME + Base64	hide

MIME + Quoted-printable	hide

Notes

• No data is sent to the server (i.e. everything is done in JavaScript).
• Conversion from Unicode to other encodings such as Shift_JIS can be slow first time as it needs to initialize internal conversion tables.
• Surrogate pairs in UTF-16 are supported. Try inserting \uD840\uDC0B in the second form.
• Three-byte characters in EUC-JP are not supported.

Links

TODO

• Japanese version of this page
• Support more encodings like GBK
• On-deman loading of conversion tables
• IDNA support (would be hard)

Источник

How to escape & unescape HTML characters in string in JavaScript

Many candidates are rejected or down-leveled due to poor performance in their System Design Interview. Stand out in System Design Interviews and get hired in 2023 with this popular free course.

Escape HTML

Escaping HTML characters in a string means replacing the:

• less than symbol ( <) with <
• greater than symbol (>) with >
• double quotes («) with "
• single quote (’) with '
• ampersand (&) with &

Let’s suppose we have an HTML element as a string:

We can escape the HTML of the string using the replace method of the string.

function escape(htmlStr)  
return htmlStr.replace(/&/g, "&")
 
.replace(/ 
.replace(/>/g, ">")
 
.replace(/"/g, """)
 
.replace(/'/g, "'");
 
>
 
console.log(escape(""));
 

In the code above, we have used regex to globally replace the:

The replace method will return a new string by replacing the matched pattern with the replacement string.

Unescape HTML

Unescaping HTML in a string does the reverse of what we have done above, by replacing:

function unEscape(htmlStr)  
htmlStr = htmlStr.replace(/</g , "<");
 
htmlStr = htmlStr.replace(/>/g , ">");
 
htmlStr = htmlStr.replace(/"/g , "\"");
 
htmlStr = htmlStr.replace(/'/g , "\'");
 
htmlStr = htmlStr.replace(/&/g , "&");
 
return htmlStr;
>
 
let unEscapedStr =unEscape(`<script>alert('hi')</script>`);
console.log(unEscapedStr);

Learn in-demand tech skills in half the time

Источник

HTML/text/JavaSript Escaping/Encoding Script

These scripts are intended to explain how to «hide» HTML and/or javascript from other people who view your page’s source code. It is not foolproof, but it does make it more difficult to read and understand the source code. Due to the nature of how these scripts work, the explanation may seem complicated and drawn out, but be patient and it should make sense once you gain a little experience with them. You don’t really have to know the ins-and-outs of these scripts, but it does help you understand how and why they work. So, take a seat and I’ll do my best to make this seem as un-complicated as possible.

Escape/Unescape

The first section of this page explains how to «escape» any text, HTML, or Javascript to make it generally unreadable to the common user. URL Escape Codes are two-character Hexadecimal (8-bit) values preceeded by a % sign. This is used primarily in browser URLs or for use when making cookies for characters that otherwise would not work, usually because they are reserved characters (like spaces and the like).

For example, if you had an HTML filename of page one , the escaped URL code would look like page%20one . The %20 is the escaped value for a space. Normally, you would only escape special characters (generally any character other than a-z, A-Z, and 0-9), but the script below actually escapes all the text simply by replacing all characters with their escaped equivalents. So, if you were to fully escape the words page one , it would look like: %70%61%67%65%20%6F%6E%65 . Now, none of the text is easily decipherable even though most of it was made up of normal characters.

Since the browser can inherently handle escape codes, this can be used pretty easily without having to add any more script to decipher them. So, if you want the browser to write that escaped text to the page, you could do something like:

All I’m doing here is putting the escaped string in a set of quotes (important!), wrapping that inside the built-in unescape() method, and then wrapping that in a document.write() method. This might seem a little worthless, but you could hide an email address this way to prevent web crawlers from snagging your e-mail address from your webpage to use in mass spam e-mailings, yet allowing visitors to read it fine. Unless, of course, you actually like getting Viagra solicitations. 🙂

For instance, fully escaped Script Asylum no-reply e-mail address would look like this to a web crawler:

document.write( unescape( ‘%6E%6F%72%65%70%6C%79%40%73%63%72%69%70%74%61%73%79%6C%75%6D%2E%63%6F%6D’ ) );

. but would look like this to a visitor:

The two textboxes below will let you fully escape and unescape any text you want. Just type whatever text/HTML/JavaScript you want in the left box and click the —> button to fully escape it. Likewise, click the

Encoding/Decoding

Now, you probably have figured out that you could hide an entire HTML page using the above method; but there are two disadvantages to doing that: Size and ease of «cracking» your code.

When you fully escape an entire page, every single character becomes 3 characters. This will triple the size of your page. Not a big deal if the page is only about 10-50 KBytes in size; but when you have a fairly large page (>100 KBytes), the filesize increases rapidly. This would slow the load time for surfers without a broadband connection.

Also, if someone were to look at your source code, it would be pretty easy to figure out what you are doing. Then they can simply copy & paste the code and make a small script to display the normal content. There is no absolute foolproof way (client-side) to foil someone from viewing your source if they are determined enough; the best you can hope for is to make it as inconvenient as possible.

So, to address both concerns you could encode/decode the text. Again, it won’t be foolproof to keep people from stealing your source content if they really want it. I am really using the terms «encode» and «decode» loosely here; what the following script does is not considered actual encoding, but it’s easier to say it that way. The encoded output will be a bit longer than the original text, but a lot less than if you had simply escaped it all.

The above section just escapes the text. The section below actually shifts the Unicode values so the result looks like gibberish. Give it a try and you’ll see; don’t forget to try different Code Key values from the drop-down box.

1. First, all the text is escaped.
2. Then the script finds the Unicode values for each character in the string.
3. Then the script adds whatever the Code Key drop-down box value is to each character’s Unicode value.
4. Then the script derives characters based on the shifted Unicode values.
5. The Code Key value is also embedded in the decoded text so the script knows how to properly decode the string again.
6. Finally, it escapes the result one more time to remove any special characters. Now, the output looks totally foreign to someone who cannot un-shift Unicode values in their head. 🙂

Once escaped, the function looks like this:

Neat huh? 🙂
Anyway, now you have to make the browser write that part of the script to the page by wrapping it in the document.write() and unescape() methods like this:

Once the script above is encoded using «code key» number 1, it looks like this:

Then, you decode the string and write it to the page by calling the dF() function (which was just unescaped and written to the page in the previous step) passing the string above like this:

• Javascript Encoder — Designed to encode Javascript only. Useful to only encode and install a script in an already created HTML page.
• HTML Page Encoder — Designed to encode your whole HTML page. You just enter your HTML sourcecode into one box, select the encoding scheme, and press the «encode» button. The output can be pasted directly into a blank page and saved as an HTML file.

Источник