Text input is validated as well-formed Unicode and measured as both code points and UTF-8 bytes before conversion. ASCII, binary, hexadecimal, Base32, Base58, Base62, ASCII85, Z85, Latin-1 hexadecimal, and UTF-16 hexadecimal use explicit byte-level algorithms rather than coercing JavaScript strings through platform-dependent shortcuts.
RFC 4648 Base32 checks alphabet, padding, and zero trailing bits. Bitcoin Base58 and the documented 0-9/A-Z/a-z Base62 alphabet preserve leading zero bytes, but their repeated radix conversion is resource-intensive, so both encoded and decoded paths receive an 8,192-byte-specific bound before expensive work.
HTML mode recognizes a bounded common named-entity table plus valid numeric references; XML mode follows the five predefined XML entities and XML 1.0 character ranges. Unicode escapes reject unpaired surrogates, Punycode delegates to strict UTS #46 IDN validation, and no mode evaluates decoded source as markup or JavaScript.
Quoted-printable encodes UTF-8 with 76-character physical lines, Morse declares uppercase normalization and its supported alphabet, the emoji form is a documented custom hexadecimal token map, and UUEncode validates filename, octal permission, line lengths, terminator, and end marker. Latin-1 and UTF-16 choices remain explicit rather than guessed.
A dedicated Worker performs each conversion with a 15-second timeout and memory estimate. After text conversion, the inverse codec runs and the recovered value is compared under only the documented normalization rules. Image mode checks claimed MIME, signature, and basic PNG, JPEG, GIF, or WebP structure. Analytics receives mode, safe option names, timing, byte counts, and notice counts, never source or output content.