URL Encoding Explained: A Complete Guide
Why URLs need encoding, which characters must be escaped, and how percent-encoding works.
basicswebhttp
Read article
URL Encoder & Decoder
Encode & DecodeSafely encode special characters for URLs
Learn More About URL Encoder & Decoder
3 articles to help you understand and use this tool effectively
JavaScript URL Encoding: encodeURI vs encodeURIComponent
Understanding encodeURI vs encodeURIComponent and when to use each JavaScript function.
javascripttutorialcode
Read article
URL Encoding and Security: Preventing Injection Attacks
How improper URL encoding leads to security vulnerabilities like XSS and injection attacks.
securityxssbest-practices
Read article
URL Encoder & Decoder FAQ
Common questions about using the URL Encoder & Decoder tool
URL encoding (also called percent-encoding) converts special characters in URLs to a format that can be safely transmitted. Characters are replaced with '%' followed by their hexadecimal ASCII value (e.g., space becomes %20, & becomes %26).
URLs can only contain a limited set of ASCII characters. Special characters like spaces, &, =, ?, and non-ASCII characters must be encoded to avoid breaking URL structure or causing security issues. Encoding ensures URLs work correctly across all systems.
encodeURI() encodes a complete URL, preserving characters with special URL meaning (: / ? & = #). encodeURIComponent() encodes ALL special characters, making it suitable for encoding values within query parameters. Use encodeURIComponent() for user input in URLs.
To encode a URL: 1) Enter your URL or text in the input field, 2) Select 'Encode' mode, 3) Copy the encoded result. For query parameters specifically, use encodeURIComponent() in JavaScript: `?q=${encodeURIComponent(userInput)}`.
To decode a URL: 1) Paste the encoded URL in the input field, 2) Select 'Decode' mode, 3) The decoded result appears instantly. In JavaScript, use decodeURIComponent() for query parameters or decodeURI() for complete URLs.
Characters that must be encoded include: spaces (%20), ampersand & (%26), equals = (%3D), question mark ? (%3F), hash # (%23), percent % (%25), and all non-ASCII characters. Reserved characters depend on context within the URL.
In query strings, spaces can be encoded as either %20 or +. The + notation is specific to application/x-www-form-urlencoded format. For path segments and general use, %20 is preferred. Modern JavaScript's URL API uses + for query parameters.
Double encoding occurs when already-encoded characters get encoded again (e.g., %20 becomes %2520). This causes URLs to fail because the server sees literal '%20' instead of a space. Always decode before re-encoding if unsure.
Unicode characters are first converted to UTF-8 bytes, then each byte is percent-encoded. For example, '日' becomes %E6%97%A5. JavaScript's encodeURIComponent() handles this automatically.
Proper URL encoding prevents injection attacks by ensuring user input cannot break out of its intended context. Always encode user-supplied values in URLs using encodeURIComponent() to prevent XSS, open redirects, and parameter pollution attacks.