🔗URL Encode / Decode
Encode or decode URL strings using percent-encoding (RFC 3986). Converts special characters like spaces, &, =, #, and Unicode to their %XX equivalents for safe use in URLs, query strings, and web forms. All processing is done locally in your browser.
Prefer to skip the form? Scroll down and Ask AI Instead. Just describe your situation and let AI handle the math for you in seconds.
Result
Hello%20World!%20Price%3A%20%249.99%20%26%20discount%3Dtrue
Input vs Output Length
✦ Ask AI Instead
URL Encoder / Decoder: Percent-Encoding Explained
URL encoding (percent-encoding, RFC 3986) replaces unsafe characters with %XX where XX is the hexadecimal UTF-8 byte value. A space becomes %20, an ampersand becomes %26, and the emoji 😀 becomes %F0%9F%98%80. Only unreserved characters (A–Z, a–z, 0–9, -, _, ., ~) are transmitted unmodified.
Key rule: Always encode user-supplied data before appending to URLs to prevent injection attacks and broken links
| Character | Encoded | Why it matters |
|---|---|---|
| Space | %20 | Spaces break URL parsing |
| & | %26 | Used as query param separator |
| # | %23 | Marks URL fragment/anchor |
URL encoding is essential for web development: query string parameters, form submissions, API requests, and any situation where user-supplied text is embedded in a URL must be properly encoded. Without encoding, characters like &, =, #, and ? break URL parsing and can introduce security vulnerabilities.
encodeURIComponent vs encodeURI
JavaScript provides two encoding functions with different scopes. encodeURI() encodes a full URL and preserves structural characters (/, ?, &, =, #, :) that have meaning in URL syntax. encodeURIComponent() encodes a URL component (a single parameter value) and encodes all characters except unreserved ones. This tool uses encodeURIComponent, which is appropriate for encoding individual values before appending them to query strings. Example: encodeURIComponent("a=1&b=2") → "a%3D1%26b%3D2", preserving the literal characters as data rather than as URL syntax.
URL Encoding and Security
Failing to URL-encode user input before embedding it in URLs can lead to open redirect vulnerabilities, parameter injection, and broken links. A username containing & could prematurely end a query parameter. A value containing # could be interpreted as a fragment. Always encode user-supplied values with encodeURIComponent() before constructing URLs in JavaScript, and use your web framework's URL builder or parameterized queries instead of string concatenation.
Frequently Asked Questions
What characters need to be URL encoded?
Characters outside the "unreserved" set (A–Z, a–z, 0–9, hyphen, underscore, period, tilde) must be encoded in URL components. The most commonly encountered: space → %20, & → %26, = → %3D, + → %2B, # → %23, ? → %3F, / → %2F, @ → %40, : → %3A, < → %3C, > → %3E, " → %22, ' → %27. For Unicode characters, encode as UTF-8 bytes first, then percent-encode each byte: the euro sign € (U+20AC) is encoded as %E2%82%AC in UTF-8.
What is the difference between %20 and + for spaces?
Both represent a space, but in different contexts. %20 is the strict RFC 3986 percent-encoding of a space character, correct for all URL components. The + sign as a space replacement comes from HTML form encoding (application/x-www-form-urlencoded, RFC 1866), where browsers traditionally encode form field values with + for spaces. When processing form data, + must be converted to space. In path segments and modern APIs, always use %20. In query strings submitted via HTML forms, + may appear — handle both. This tool uses %20 (via encodeURIComponent) which is universally correct.
How do I URL encode a full URL vs a query parameter?
If you have a full URL and want to encode it for use as a hyperlink, use encodeURI() which preserves /, ?, &, =, #, :, and other URL-structural characters. If you are building a URL by appending user data to a query string, encode each parameter value individually with encodeURIComponent() before concatenation. Example: const url = "https://example.com/search?q=" + encodeURIComponent(userInput); Never concatenate raw user input into URLs — encode first to prevent injection and broken URLs. If the entire URL itself is a parameter value (a redirect_uri for example), encode the whole URL with encodeURIComponent().
Can URL encoding be used to avoid SQL injection?
No. URL encoding protects URL structure but does not prevent SQL injection. A percent-encoded SQL injection payload can still reach your database after the web server decodes the URL. SQL injection is prevented by using parameterized queries (prepared statements) or stored procedures in your database layer. Never use URL decoding as a substitute for input validation or parameterized queries. The correct security stack is: URL encoding for safe URL transport + input validation + parameterized queries for database safety + output escaping for XSS prevention.