Occasionally I get the urge to perform a bit of (disclaimer: amusing and non-malicious!) cross-site scripting (XSS) against the odd site I find which is just begging to be abused. Here’s a tool to percent-encode all characters in a URL parameter.
URL/Percent-encoding is used to escape reserved characters in a URL when passing parameters around. For example, a GET parameter with an ampersand in it must be escaped since the browser would treat this character as starting the next variable.
The standard URL encoders take an input and replace all reserved characters with their percent-encoded equivalents. I couldn’t find an online tool to enocde all characters so I knocked up a quick bit of JavaScript to do the job.
Why would I want to do this? When playing around with XSS it’s nicer to hide the full payload in the URL rather than giving away hints as to what’s going to happen with all the unreserved characters still human readable.
So here it is: a JavaScript Percent-Encoder.