Text/URL Input

Encoded URL OutputLive

Start typing to see live preview...

URL Encoder & Decoder - Free Online Percent-Encoding Tool

Encode URLs and query strings with percent-encoding or decode URL-encoded strings back to readable text. Free, browser-based, instant. Essential for developers working with REST APIs, query parameters, and web links.

What Is URL Encoding? Complete Guide to Percent-Encoding

URL encoding (also called percent-encoding) is a mechanism for encoding characters in a URI (Uniform Resource Identifier) or URL by replacing unsafe characters with a percent sign (%) followed by two hexadecimal digits representing the character's UTF-8 byte value. It is defined in RFC 3986.

URLs can only be sent over the internet using the ASCII character set, and certain characters have special meanings within a URL structure (/ separates path segments, ? starts the query string, & separates parameters, = separates key-value pairs, # starts a fragment). When these characters appear as data values rather than structural delimiters, or when non-ASCII characters (Unicode) appear in a URL, they must be percent-encoded to avoid ambiguity and ensure correct interpretation by browsers and servers.

For example, a space character (ASCII 32) becomes %20, the @ symbol (ASCII 64) becomes %40, and the Chinese character 中 (UTF-8 bytes: E4 B8 AD) becomes %E4%B8%AD. Our tool uses JavaScript's built-in encodeURIComponent() function which correctly handles Unicode characters via UTF-8 encoding.

URL Encoding vs encodeURI vs encodeURIComponent

JavaScript provides three URL-encoding functions, and choosing the right one matters:

FunctionDoes NOT encodeUse case
encodeURI()A-Z a-z 0-9 ; , / ? : @ & = + $ - _ . ! ~ * ' ( ) #Encoding a complete URL where you want to preserve structural characters
encodeURIComponent()A-Z a-z 0-9 - _ . ! ~ * ' ( )Encoding a query parameter value or path segment (used by this tool)
escape() (deprecated)@ * / +Legacy - do not use in new code

This tool uses encodeURIComponent() which is appropriate for encoding individual parameter values, path components, and data that will be embedded within a URL. It encodes :, /, ?, &, and = - the structural URL characters - making it safe for query parameter values.

URL Encoding Examples: Common Characters

Encoding Example

Input URL:
https://example.com/search?q=hello world&lang=en
Encoded:
https%3A%2F%2Fexample.com%2Fsearch%3Fq%3Dhello%20world%26lang%3Den

Common Character Encodings

CharacterEncodedName
space%20Space
!%21Exclamation
#%23Hash
&%26Ampersand
=%3DEquals
?%3FQuestion mark
@%40At sign
+%2BPlus

When to Use URL Encoding: Real Developer Use Cases

Query String Parameters

When building URLs with user-provided values as query parameters, always URL-encode the values. A search query like "C++ programming" must be encoded to C%2B%2B%20programming to prevent the + and spaces from being misinterpreted as URL syntax. Failing to encode allows users to inject arbitrary URL components (URL injection attacks).

REST API Requests

When passing data as URL parameters in REST API calls, all parameter values must be URL-encoded. This is especially important for filter values, search terms, email addresses, file paths, and any user-generated content embedded in API URLs. Use URLSearchParams in JavaScript to build query strings automatically.

Redirect URLs

When implementing login redirects, OAuth callbacks, or post-action redirects where a URL is passed as a parameter, the return URL must be URL-encoded. For example: /login?redirect=https%3A%2F%2Fapp.example.com%2Fdashboard. Without encoding, the nested URL would break the outer URL's structure.

Internationalized URLs (IDN)

URLs can contain Unicode characters (international domain names, non-Latin path segments) which must be percent-encoded for use in HTTP requests. For example, Chinese, Arabic, or emoji characters in URLs are encoded as UTF-8 byte sequences: the path /café becomes /caf%C3%A9. Browsers display the decoded "pretty" form while sending the encoded form in HTTP headers.

Form Data Submission

HTML form submission with method="GET" URL-encodes all form field values and appends them as query parameters. The application/x-www-form-urlencoded content type (also used for POST form data) requires all values to be URL-encoded with + representing spaces instead of %20.

Email Links (mailto:)

The mailto: URI scheme uses URL encoding for subject, body, and recipient parameters. For example: mailto:[email protected]?subject=Hello%20World&body=Check%20this%20out%3A%20https%3A%2F%2Fexample.com. Special characters in the subject and body must be encoded to prevent parsing errors.

Code Examples: URL Encoding in Different Languages

JavaScript

// Encode a parameter value
const encoded = encodeURIComponent("Hello World & more!");
// "Hello%20World%20%26%20more!"

// Decode
const decoded = decodeURIComponent("Hello%20World");
// "Hello World"

// Build a full query string safely
const params = new URLSearchParams({
  q: "C++ programming",
  lang: "en"
});
const url = `/search?${params}`;

Python

from urllib.parse import quote, unquote, urlencode

# Encode
encoded = quote("Hello World & more!")
# "Hello%20World%20%26%20more%21"

# Decode
decoded = unquote("Hello%20World")
# "Hello World"

# Build query string
params = {"q": "C++ programming", "lang": "en"}
query = urlencode(params)
# q=C%2B%2B+programming&lang=en

PHP

// Encode
$encoded = urlencode("Hello World & more!");
// "Hello+World+%26+more%21"

// rawurlencode follows RFC 3986
$encoded = rawurlencode("Hello World");
// "Hello%20World"

// Decode
$decoded = urldecode("Hello+World");
// "Hello World"

Node.js

const { URLSearchParams } = require("url");

// Encode value
const encoded = encodeURIComponent("Hello World");

// Build query string
const params = new URLSearchParams({
  search: "hello world",
  filter: "type:image"
});
console.log(params.toString());
// search=hello+world&filter=type%3Aimage

Frequently Asked Questions About URL Encoding

What is the difference between %20 and + for spaces?

Both %20 and + represent spaces in URL encoding, but in different contexts. %20 is the RFC 3986 standard percent-encoding of a space. The + character represents a space only in application/x-www-form-urlencoded format (HTML form data). In path segments and query parameter values sent to modern servers, %20 is preferred. Our tool uses %20 (via encodeURIComponent) which is correct for URI components.

What characters do not need to be URL-encoded?

The following characters are "unreserved" in RFC 3986 and do not need to be encoded: uppercase and lowercase letters (A-Z, a-z), digits (0-9), and the four special characters: hyphen -, underscore _, period ., and tilde ~. All other characters, including spaces, punctuation, and non-ASCII Unicode, must be percent-encoded when appearing in URL components.

Is URL encoding the same as HTML encoding?

No. URL encoding (percent-encoding) replaces special characters with %XX hex sequences for URLs. HTML entity encoding replaces characters with HTML entities like &amp; for &, &lt; for <, and &gt; for > for safe rendering in HTML documents. They serve different purposes and should not be interchanged.

Why do I get "Invalid URL encoding" errors?

Common causes: (1) Incomplete percent sequences - %2 alone is invalid (must be %2F). (2) Invalid hex digits after % - only 0-9 and A-F are valid. (3) Double-encoded values - %2520 is a space that was encoded twice. (4) Non-UTF-8 sequences - some legacy systems use Latin-1 or other encodings rather than UTF-8 for percent-encoding non-ASCII characters.

Should I encode the entire URL or just the parameters?

You should encode individual components, not the entire URL at once. Encoding the complete URL would encode the structural characters (://, /, ?, &, =) that browsers need to parse the URL. Instead: use encodeURIComponent() on each parameter value separately, then assemble the full URL. Use URLSearchParams in JavaScript for safe query string building.

Does URL encoding protect against SQL injection or XSS?

No. URL encoding is not a security measure against injection attacks. It ensures correct URL parsing, but does not sanitize inputs for use in SQL queries or HTML output. For SQL injection prevention, use parameterized queries. For XSS prevention, use context-appropriate output encoding (HTML entity encoding for HTML context, JavaScript escaping for JS context). URL encoding is for URL structure only.