Research
Security News
Malicious npm Packages Use Telegram to Exfiltrate BullX Credentials
Socket uncovers an npm Trojan stealing crypto wallets and BullX credentials via obfuscated code and Telegram exfiltration.
By Kush Pandya - May 08, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
encodeurl
Encode a URL to a percent-encoded form, excluding already-encoded sequences
What is encodeurl?
The encodeurl npm package is used to encode a URL to a percent-encoded form, excluding already-encoded sequences. This is particularly useful when you need to encode a URL in a way that is safe to include in HTTP headers and HTML links without double-encoding existing percent-encoded characters.
What are encodeurl's main functionalities?
Percent-encoding URL
This feature allows you to encode a URL into a format that can be safely transmitted over the internet. The code sample demonstrates how to encode a URL with query parameters, ensuring that spaces and other special characters are properly percent-encoded.
const encodeUrl = require('encodeurl');
const encodedUrl = encodeUrl('https://example.com/foo?user=bar+baz');
console.log(encodedUrl);Other packages similar to encodeurl
querystring
The querystring package provides utilities for parsing and formatting URL query strings. It can be used to percent-encode a query string, but unlike encodeurl, it is specifically designed for handling the query string part of a URL and not the entire URL.
qs
Similar to querystring, the qs package allows for parsing and stringifying query strings with more advanced features like nested objects. It also handles percent-encoding but is focused on the query string component rather than full URLs.
urlencode
The urlencode package is another alternative for percent-encoding URLs and query strings. It offers similar functionality to encodeurl but with a slightly different API and additional options for encoding.
Encode URL
Encode a URL to a percent-encoded form, excluding already-encoded sequences.
Installation
npm install encodeurl
API
var encodeUrl = require('encodeurl')
encodeUrl(url)
Encode a URL to a percent-encoded form, excluding already-encoded sequences.
This function accepts a URL and encodes all the non-URL code points (as UTF-8 byte sequences). It will not encode the "%" character unless it is not part of a valid sequence (%20 will be left as-is, but %foo will be encoded as %25foo).
This encode is meant to be "safe" and does not throw errors. It will try as hard as it can to properly encode the given URL, including replacing any raw, unpaired surrogate pairs with the Unicode replacement character prior to encoding.
Examples
Encode a URL containing user-controlled data
var encodeUrl = require('encodeurl')
var escapeHtml = require('escape-html')
http.createServer(function onRequest (req, res) {
// get encoded form of inbound url
var url = encodeUrl(req.url)
// create html message
var body = '<p>Location ' + escapeHtml(url) + ' not found</p>'
// send a 404
res.statusCode = 404
res.setHeader('Content-Type', 'text/html; charset=UTF-8')
res.setHeader('Content-Length', String(Buffer.byteLength(body, 'utf-8')))
res.end(body, 'utf-8')
})
Encode a URL for use in a header field
var encodeUrl = require('encodeurl')
var escapeHtml = require('escape-html')
var url = require('url')
http.createServer(function onRequest (req, res) {
// parse inbound url
var href = url.parse(req)
// set new host for redirect
href.host = 'localhost'
href.protocol = 'https:'
href.slashes = true
// create location header
var location = encodeUrl(url.format(href))
// create html message
var body = '<p>Redirecting to new site: ' + escapeHtml(location) + '</p>'
// send a 301
res.statusCode = 301
res.setHeader('Content-Type', 'text/html; charset=UTF-8')
res.setHeader('Content-Length', String(Buffer.byteLength(body, 'utf-8')))
res.setHeader('Location', location)
res.end(body, 'utf-8')
})
Similarities
This function is similar to the intrinsic function encodeURI. However, it will not encode:
- The
\,^, or|characters - The
%character when it's part of a valid sequence [and](for IPv6 hostnames)- Replaces raw, unpaired surrogate pairs with the Unicode replacement character
As a result, the encoding aligns closely with the behavior in the WHATWG URL specification. However, this package only encodes strings and does not do any URL parsing or formatting.
It is expected that any output from new URL(url) will not change when used with this package, as the output has already been encoded. Additionally, if we were to encode before new URL(url), we do not expect the before and after encoded formats to be parsed any differently.
Testing
$ npm test
$ npm run lint
References
License
FAQs
Encode a URL to a percent-encoded form, excluding already-encoded sequences
The npm package encodeurl receives a total of 44,781,378 weekly downloads. As such, encodeurl popularity was classified as popular.
We found that encodeurl demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 29 Mar 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS
Malicious npm packages posing as developer tools target macOS Cursor IDE users, stealing credentials and modifying files to gain persistent backdoor access.
By Kirill Boychenko - May 07, 2025
Security News
AI Slop Is Polluting Bug Bounty Platforms with Fake Vulnerability Reports
AI-generated slop reports are making bug bounty triage harder, wasting maintainer time, and straining trust in vulnerability disclosure programs.
By Sarah Gooding - May 06, 2025