url_escape(str) -> encoded

URL-encode a string for safe use in query parameters

Encodes str using application/x-www-form-urlencoded rules:

• Newlines are normalised to \r\n before encoding

• Spaces are encoded as +

• All other characters that are not unreserved (A-Z a-z 0-9 - _ . ~ %) are percent-encoded as %XX

html_unescape(str) -> decoded

Decode HTML entities back to their original characters

Handles three entity forms:

• Named entities: &, <, >, ", '

• Decimal numeric references: &#NNN;

• Hexadecimal numeric references: &#xNNN;

Codepoints above 255 are decoded to UTF-8 via std.utf.char.

html_escape(str) -> escaped

Escape angle brackets in a string for safe HTML embedding

Only < and > are replaced (< and >). This is intentionally limited to neutralising tags when embedding user-supplied values inside HTML content or attributes. It is not a general-purpose HTML sanitizer — &, ", and ' are left untouched.

make_form_data(items) -> content_type, body

Build a multipart/form-data body from a list of items

Each item in the list is a table with the following fields:

• name — form field name (required)

• content — string content for text fields

• path — file path; if set and file exists, reads content from file

• mime — override MIME type (auto-detected from path if not set)

parse_args(body) -> args

Parse a URL-encoded form body into a key-value table

Parses an application/x-www-form-urlencoded body. + signs in values are restored to spaces before URL-decoding; values are then HTML-escaped via html_escape. Returns an empty table for non-string or empty input. Key-value pairs missing the = separator are silently skipped.

parse_form_data(boundary, body) -> args

Parse a multipart/form-data body into a key-value table

Parses a multipart/form-data body using the given boundary string. Text fields are URL-decoded and HTML-escaped. File uploads are returned as tables with filename, content, and content_type fields.