ED
EncryptDecrypt.tools

URL Encoder & Decoder

Convert text to URL-safe format or decode URL-encoded strings back to regular text

Home » Tools » Encoding » URL Encoder/Decoder

Common URL-encoded Characters

space %20
& %26
= %3D
? %3F
% %25
# %23
+ %2B
/ %2F
: %3A
@ %40
Invalid URL-encoded string. Please check your input.
Copied!
Live URL Preview Encoded

What is URL Encoding?

URL encoding, also known as percent encoding, is a method to convert characters into a format that can be transmitted over the Internet. URLs can only be sent over the Internet using the ASCII character set, which means characters outside this range must be encoded.

When to Use URL Encoding

  • Special Characters in URLs: When including special characters like spaces, &, =, ?, etc. in a URL
  • Form Submissions: When submitting data through HTML forms
  • Query Parameters: When adding parameters to URLs that contain special characters
  • Internationalization: When URLs contain non-ASCII characters like accents or non-Latin scripts
  • API Requests: When constructing API endpoints that require special characters

How URL Encoding Works

URL encoding works by replacing characters with a "%" followed by their hexadecimal ASCII value:

  • Spaces can be encoded as %20 or + (the latter is common in form submissions)
  • Special characters like & become %26
  • Reserved characters like ? become %3F
  • Non-ASCII characters are first converted to their UTF-8 bytes and then each byte is percent-encoded

URL Encoding Standards

There are several URL encoding standards: RFC 1738 (original), RFC 2396 (revised), and RFC 3986 (current). The differences relate primarily to which characters need to be encoded. Our tool supports multiple standards to ensure compatibility with all systems.

Understanding URL Encoding and Decoding

URL encoding is a fundamental technique for ensuring the safe transmission of data through URLs. When working with web development, APIs, or any internet communication that uses URLs, understanding URL encoding is essential to prevent data corruption and security issues.

The Need for URL Encoding

URLs are designed to work with a limited set of ASCII characters. However, modern applications often need to include a wide range of characters in URLs, including:

  • Special characters like spaces, ampersands, question marks
  • International characters from non-English languages
  • Symbols and punctuation that have special meaning in URLs
  • Binary data or control characters

Without encoding, these characters could break URL syntax or be interpreted incorrectly by servers. URL encoding solves this by representing these characters in a format that's safe for URLs.

Reserved Characters in URLs

Certain characters have special meanings in URLs and must be encoded when used as part of data:

Character Reserved Usage Encoded Value
? Marks the beginning of the query string %3F
& Separates query parameters %26
= Separates parameter names and values %3D
# Marks the beginning of a fragment identifier %23
/ Path segment separator %2F
: Scheme/protocol separator %3A
@ Separates user information from host %40

URL Encoding Process

The URL encoding process follows these steps:

  1. The character to be encoded is first converted to its UTF-8 byte representation
  2. Each byte is then represented as a percent sign (%) followed by two hexadecimal digits
  3. Alphanumeric characters (A-Z, a-z, 0-9) and a few special characters (-._~) are typically left as-is
  4. Spaces can be encoded as %20 or + (the plus sign), depending on the context

URL Encoding Example

Original: Hello World & Welcome!
Encoded:  Hello%20World%20%26%20Welcome%21

Original: https://example.com/search?q=URL encoding
Encoded:  https%3A%2F%2Fexample.com%2Fsearch%3Fq%3DURL%20encoding

URL encoding preserves the meaning while making all characters URL-safe

URL Encoding in Different Contexts

1. Form Submissions

When HTML forms are submitted with application/x-www-form-urlencoded content type (the default), spaces are typically encoded as plus signs (+) rather than %20. This is a historical convention that's still widely used.

Form Submission Encoding
// Original form data
name = "John Doe"
query = "url encoding & decoding"

// Form encoded
name=John+Doe&query=url+encoding+%26+decoding

2. Query Parameters

Query parameters in URLs must be properly encoded to maintain the structure of the URL:

Query Parameter Encoding
// Original URL with unencoded parameters
https://example.com/search?q=What is URL encoding?&lang=en

// Properly encoded URL
https://example.com/search?q=What%20is%20URL%20encoding%3F&lang=en

3. Path Segments

When including variable data in the path portion of a URL, encoding is also necessary:

Path Segment Encoding
// Original path with problematic characters
https://example.com/files/my document.pdf

// Properly encoded path
https://example.com/files/my%20document.pdf

URL Encoding Standards and Specifications

URL encoding has evolved over time through several RFC (Request for Comments) specifications:

RFC 1738 (1994)

The original specification for URLs defined the basic percent encoding scheme and specified which characters needed to be encoded.

RFC 2396 (1998)

Refined the URL specification and clarified encoding rules, introducing the concept of "unreserved" characters that don't need encoding.

RFC 3986 (2005)

The current standard that defines URI (Uniform Resource Identifier) syntax. It's more strict about which characters should be encoded. Under RFC 3986, only alphanumeric characters and -._~ are considered "unreserved".

Common URL Encoding Mistakes

Double Encoding

Encoding an already encoded URL, turning %20 into %2520, for example. This can happen when multiple systems process the same URL.

Partial Encoding

Encoding only some special characters while leaving others unencoded, leading to URL parsing errors.

Wrong Character Set

Using the wrong character encoding (e.g., Latin-1 instead of UTF-8) before percent encoding, causing incorrect representation of non-ASCII characters.

Inconsistent Space Encoding

Mixing %20 and + for spaces in the same context, which can cause issues in certain applications.

URL Encoding in Different Programming Languages

JavaScript

// Encoding
const encoded = encodeURIComponent('Hello World & Welcome!');
console.log(encoded); // "Hello%20World%20%26%20Welcome%21"

// Decoding
const decoded = decodeURIComponent('Hello%20World%20%26%20Welcome%21');
console.log(decoded); // "Hello World & Welcome!"

// Note: encodeURI() is also available but doesn't encode characters like ?, =, &
// Use encodeURIComponent() for query parameters or any URL parts

PHP

// Encoding
$encoded = urlencode('Hello World & Welcome!');
echo $encoded; // "Hello+World+%26+Welcome%21"

// For RFC 3986 compliant encoding (with %20 for spaces)
$rfc3986 = rawurlencode('Hello World & Welcome!');
echo $rfc3986; // "Hello%20World%20%26%20Welcome%21"

// Decoding
$decoded = urldecode('Hello+World+%26+Welcome%21');
echo $decoded; // "Hello World & Welcome!"

Python

import urllib.parse

# Encoding
encoded = urllib.parse.quote('Hello World & Welcome!')
print(encoded)  # "Hello%20World%20%26%20Welcome%21"

# For form data (spaces as +)
form_encoded = urllib.parse.quote_plus('Hello World & Welcome!')
print(form_encoded)  # "Hello+World+%26+Welcome%21"

# Decoding
decoded = urllib.parse.unquote('Hello%20World%20%26%20Welcome%21')
print(decoded)  # "Hello World & Welcome!"

Security Considerations

Proper URL encoding is not just about functionality—it's also a security measure:

Security Risks of Improper URL Encoding

  • XSS Attacks: Failing to encode user input could allow injection of malicious scripts
  • URL Injection: Unencoded special characters might change the structure of a URL
  • Path Traversal: Unencoded "../" sequences could lead to directory traversal vulnerabilities
  • Request Smuggling: Inconsistent encoding could allow attackers to smuggle requests

Conclusion

URL encoding is a critical aspect of web development that ensures data can be safely transmitted through URLs. Understanding when and how to properly encode URLs prevents both functional issues and security vulnerabilities. While the concept is simple—replacing unsafe characters with percent-encoded equivalents—the details of which characters need encoding in which contexts can be complex. Using standardized encoding functions in your programming language of choice, rather than attempting manual encoding, is generally the safest approach.