String Transform Pipelines
Summary
Definition: A transform pipeline is an explicit, ordered sequence of text operations with defined inputs and outputs.
Why it matters: Repeatable steps prevent mismatches, bugs, and security issues caused by ambiguous encoding.
Pitfall: The same bytes can have many string forms; canonicalize and validate to avoid surprises.
A string transform pipeline is a contract: ordered steps, explicit inputs/outputs, and checks.
Use it to make encoding, escaping, and normalization repeatable and safe.
- Pipeline
- Ordered steps with explicit inputs/outputs.
- Stage
- One transform applied to a value.
- Deterministic
- Same input yields same output.
- Idempotent
- Applying twice yields same result.
- Reversible
- Can be undone by an inverse step.
- Lossy
- Drops information; not fully reversible.
- Encoding
- Bytes to text (e.g., Base64).
- Escaping
- Context-safe text (e.g., URL encode).
The core idea
A pipeline is more than a list. It is a contract: order, step types, and validation rules.
Common mix-up: Base64 hides data. It does not; it is reversible encoding, not encryption.
Classify steps before you chain them
Different transform types have different ordering and reversibility rules.
| Type | Example | Reversible |
|---|---|---|
| Normalize | Unicode NFC | Usually |
| Encode | Base64/Base64URL | Yes |
| Escape | URL encode | Yes |
| Compress | gzip | Yes |
| Hash | SHA-256 | No |
| Trim | strip/substring | No |
A step can be reversible but still risky if applied in the wrong context (for example, URL encoding a whole URL).
Why order matters
Order controls meaning. If you escape too early or decode out of order, you get mismatches or bugs.
Decoding without context checks can enable double-decode bugs and canonicalization issues.
Safe default ordering
Use this default when you are preparing data for transport or storage in a different system.
- Normalize representation (e.g., Unicode NFC, line endings).
- Encode bytes to text (prefer Base64URL for URL tokens).
- Escape for the exact context at the edge (query/path/form).
- Validate invariants (charset, length, allowed set).
Examples
Prefer Base64URL for URL-safe tokens; escape only if required by context.
Input bytes -> Base64URL -> (optional) URL encode -> OutputTrimming is not safe for identifiers; it can silently change meaning.
"abc " -> trim -> "abc" (cannot recover the original)Double-encoding changes output and often breaks decoding.
value -> URL encode -> URL encode -> wrong outputPractical checks
- Write down each step name, parameters, and expected input/output type.
- Add a round-trip test: encode then decode returns the original bytes/text.
- Add boundary checks: allowed chars, max length, and exact context of escaping.
Use with Encrypt Online
- Use String Transform Pipeline to record and replay steps.
- Use Base64URL Encode/Decode for URL-safe encodings.
- Use URL Encode only at the transport boundary and for the right context.
FAQ
Can I reorder steps? Only if steps commute and remain reversible. Most real pipelines do not.
Should I URL-encode last? For transport, yes: escape for the specific context (query/path/form) at the edge.
Can I reverse a pipeline? Yes, if every step is reversible and you decode in strict reverse order.