This decoder reverses the most common text-encoding tricks in one place: HTML entities, JavaScript backslash escapes, and URL percent-encoding. It is built for security work — de-obfuscating a payload without pasting it into a live console where it might execute.
How it works
The tool applies up to three independent decoders, in the order you select:
- Percent-encoding —
%XXsequences are converted with adecodeURIComponent-style pass (falling back to a manual byte decode if the input is malformed). - JavaScript escapes —
\uXXXX,\u{...},\xXX, and the standard\n \r \tescapes are replaced with the characters they represent. - HTML entities — named entities (
&), decimal entities ( ), and hex entities ( ) are decoded using the browser’s own entity table via an in-memory element’s text parsing. The value is read back as text only — it is never inserted into the live document or interpreted as markup.
Because each layer is a pure string transformation, the worst a hostile input can do is produce more text. Nothing is ever evaluated.
Why this matters for security analysis
Attackers layer encodings to slip past naive filters. A single <script> tag might arrive in any of these forms:
%3Cscript%3E (percent-encoded)
<script> (HTML hex entities)
\x3cscript\x3e (JavaScript hex escapes)
%26%23x3C%3Bscript%26%23x3E%3B (double-encoded: percent-encoded HTML entity)
Each of these is effectively the same payload, but a simple string search for <script> misses all of them. WAFs and input filters that decode only one layer can be bypassed by layering two.
Pasting such a string into the browser DevTools console to “see what it is” risks accidental execution if the final decoded string is a valid expression and the console evaluates it. This tool decodes to inert text — you see the true payload safely, without any execution path.
Peeling nested encodings
Real-world obfuscation sometimes nests multiple layers. For example, a percent-encoded HTML entity:
%26lt%3B -> < (one percent-decode pass)
-> < (one HTML entity decode pass)
Run the tool with all layers enabled for a single-pass decode. If the output still looks encoded, run it again — repeat until the output stops changing.
Notes and tips
- Toggle layers off to isolate a single encoding when you want to understand exactly how a string was obfuscated — this helps map the attacker’s technique.
- Non-printing and control characters in the output are shown with a visible marker so a hidden U+202E (right-to-left override) or null byte (
\x00) cannot disguise itself inside the decoded text. - Watch for Unicode homoglyphs in decoded output: characters that look like ASCII letters but have different code points (for example, Cyrillic
аvs Latina). These are used in homograph attacks on domain names and source code. - Decoding is one-directional here; this tool does not re-encode. All work stays in your browser and nothing is uploaded or logged.