Encode URLs and query strings with percent-encoding or decode URL-encoded strings back to readable text. Free, browser-based, instant. Essential for developers working with REST APIs, query parameters, and web links.
URL encoding (also called percent-encoding) is a mechanism for encoding characters in a URI (Uniform Resource Identifier) or URL by replacing unsafe characters with a percent sign (%) followed by two hexadecimal digits representing the character's UTF-8 byte value. It is defined in RFC 3986.
URLs can only be sent over the internet using the ASCII character set, and certain characters have special meanings within a URL structure (/ separates path segments, ? starts the query string, & separates parameters, = separates key-value pairs, # starts a fragment). When these characters appear as data values rather than structural delimiters, or when non-ASCII characters (Unicode) appear in a URL, they must be percent-encoded to avoid ambiguity and ensure correct interpretation by browsers and servers.
For example, a space character (ASCII 32) becomes %20, the @ symbol (ASCII 64) becomes %40, and the Chinese character 中 (UTF-8 bytes: E4 B8 AD) becomes %E4%B8%AD. Our tool uses JavaScript's built-in encodeURIComponent() function which correctly handles Unicode characters via UTF-8 encoding.
JavaScript provides three URL-encoding functions, and choosing the right one matters:
| Function | Does NOT encode | Use case |
|---|---|---|
encodeURI() | A-Z a-z 0-9 ; , / ? : @ & = + $ - _ . ! ~ * ' ( ) # | Encoding a complete URL where you want to preserve structural characters |
encodeURIComponent() | A-Z a-z 0-9 - _ . ! ~ * ' ( ) | Encoding a query parameter value or path segment (used by this tool) |
escape() (deprecated) | @ * / + | Legacy - do not use in new code |
This tool uses encodeURIComponent() which is appropriate for encoding individual parameter values, path components, and data that will be embedded within a URL. It encodes :, /, ?, &, and = - the structural URL characters - making it safe for query parameter values.
https://example.com/search?q=hello world&lang=en
https%3A%2F%2Fexample.com%2Fsearch%3Fq%3Dhello%20world%26lang%3Den
| Character | Encoded | Name |
|---|---|---|
| space | %20 | Space |
! | %21 | Exclamation |
# | %23 | Hash |
& | %26 | Ampersand |
= | %3D | Equals |
? | %3F | Question mark |
@ | %40 | At sign |
+ | %2B | Plus |
When building URLs with user-provided values as query parameters, always URL-encode the values. A search query like "C++ programming" must be encoded to C%2B%2B%20programming to prevent the + and spaces from being misinterpreted as URL syntax. Failing to encode allows users to inject arbitrary URL components (URL injection attacks).
When passing data as URL parameters in REST API calls, all parameter values must be URL-encoded. This is especially important for filter values, search terms, email addresses, file paths, and any user-generated content embedded in API URLs. Use URLSearchParams in JavaScript to build query strings automatically.
When implementing login redirects, OAuth callbacks, or post-action redirects where a URL is passed as a parameter, the return URL must be URL-encoded. For example: /login?redirect=https%3A%2F%2Fapp.example.com%2Fdashboard. Without encoding, the nested URL would break the outer URL's structure.
URLs can contain Unicode characters (international domain names, non-Latin path segments) which must be percent-encoded for use in HTTP requests. For example, Chinese, Arabic, or emoji characters in URLs are encoded as UTF-8 byte sequences: the path /café becomes /caf%C3%A9. Browsers display the decoded "pretty" form while sending the encoded form in HTTP headers.
HTML form submission with method="GET" URL-encodes all form field values and appends them as query parameters. The application/x-www-form-urlencoded content type (also used for POST form data) requires all values to be URL-encoded with + representing spaces instead of %20.
The mailto: URI scheme uses URL encoding for subject, body, and recipient parameters. For example: mailto:[email protected]?subject=Hello%20World&body=Check%20this%20out%3A%20https%3A%2F%2Fexample.com. Special characters in the subject and body must be encoded to prevent parsing errors.
// Encode a parameter value
const encoded = encodeURIComponent("Hello World & more!");
// "Hello%20World%20%26%20more!"
// Decode
const decoded = decodeURIComponent("Hello%20World");
// "Hello World"
// Build a full query string safely
const params = new URLSearchParams({
q: "C++ programming",
lang: "en"
});
const url = `/search?${params}`;from urllib.parse import quote, unquote, urlencode
# Encode
encoded = quote("Hello World & more!")
# "Hello%20World%20%26%20more%21"
# Decode
decoded = unquote("Hello%20World")
# "Hello World"
# Build query string
params = {"q": "C++ programming", "lang": "en"}
query = urlencode(params)
# q=C%2B%2B+programming&lang=en// Encode
$encoded = urlencode("Hello World & more!");
// "Hello+World+%26+more%21"
// rawurlencode follows RFC 3986
$encoded = rawurlencode("Hello World");
// "Hello%20World"
// Decode
$decoded = urldecode("Hello+World");
// "Hello World"const { URLSearchParams } = require("url");
// Encode value
const encoded = encodeURIComponent("Hello World");
// Build query string
const params = new URLSearchParams({
search: "hello world",
filter: "type:image"
});
console.log(params.toString());
// search=hello+world&filter=type%3AimageBoth %20 and + represent spaces in URL encoding, but in different contexts. %20 is the RFC 3986 standard percent-encoding of a space. The + character represents a space only in application/x-www-form-urlencoded format (HTML form data). In path segments and query parameter values sent to modern servers, %20 is preferred. Our tool uses %20 (via encodeURIComponent) which is correct for URI components.
The following characters are "unreserved" in RFC 3986 and do not need to be encoded: uppercase and lowercase letters (A-Z, a-z), digits (0-9), and the four special characters: hyphen -, underscore _, period ., and tilde ~. All other characters, including spaces, punctuation, and non-ASCII Unicode, must be percent-encoded when appearing in URL components.
No. URL encoding (percent-encoding) replaces special characters with %XX hex sequences for URLs. HTML entity encoding replaces characters with HTML entities like & for &, < for <, and > for > for safe rendering in HTML documents. They serve different purposes and should not be interchanged.
Common causes: (1) Incomplete percent sequences - %2 alone is invalid (must be %2F). (2) Invalid hex digits after % - only 0-9 and A-F are valid. (3) Double-encoded values - %2520 is a space that was encoded twice. (4) Non-UTF-8 sequences - some legacy systems use Latin-1 or other encodings rather than UTF-8 for percent-encoding non-ASCII characters.
You should encode individual components, not the entire URL at once. Encoding the complete URL would encode the structural characters (://, /, ?, &, =) that browsers need to parse the URL. Instead: use encodeURIComponent() on each parameter value separately, then assemble the full URL. Use URLSearchParams in JavaScript for safe query string building.
No. URL encoding is not a security measure against injection attacks. It ensures correct URL parsing, but does not sanitize inputs for use in SQL queries or HTML output. For SQL injection prevention, use parameterized queries. For XSS prevention, use context-appropriate output encoding (HTML entity encoding for HTML context, JavaScript escaping for JS context). URL encoding is for URL structure only.
Discover more free developer tools that might interest you