URL Encoder Decoder — Encode & Decode URLs Online for Free

Percent-encoding looks cryptic, but it's essential for web development. Here's everything you need to know — plus a free tool to do it instantly.

What Is URL Encoding?

URL encoding (also called percent-encoding) is the mechanism for encoding special characters in URLs. URLs can only contain a limited set of characters from the ASCII character set. Any character outside this set — spaces, non-ASCII characters, reserved characters used as data — must be encoded.

The encoding is simple: each problematic byte is replaced with a % followed by two hexadecimal digits representing the byte's value. For example:

• Space → %20 (or + in query strings)
• & → %26
• = → %3D
• ? → %3F
• # → %23
• / → %2F
• @ → %40

Why URL Encoding Matters

Consider this URL that searches for "fish & chips":

https://example.com/search?q=fish & chips

This breaks because:

• The space interrupts the URL — browsers don't know where the URL ends
• The & is interpreted as a query parameter separator, not as the literal character

The correctly encoded version:

https://example.com/search?q=fish%20%26%20chips

Now the server receives q=fish & chips as intended. Without encoding, the server would see q=fish and a separate parameter chips with no value.

Characters That Need Encoding

Reserved Characters

These characters have special meaning in URLs. When used as data (not as delimiters), they must be encoded:

:  /  ?  #  [  ]  @  !  $  &  '  (  )  *  +  ,  ;  =

Unsafe Characters

These characters should always be encoded in URLs:

Space  "  <  >  {  }  |  \  ^  `

Non-ASCII Characters

Any character outside the ASCII range (Unicode characters, accented letters, emoji) must be UTF-8 encoded first, then each byte is percent-encoded:

café → caf%C3%A9
🍕   → %F0%9F%8D%95

encodeURI vs encodeURIComponent

JavaScript provides two URL encoding functions, and using the wrong one is a common source of bugs:

encodeURI()

Encodes a complete URI. It does not encode characters that are part of URL structure: : / ? # [ ] @ ! $ & ' ( ) * + , ; =

encodeURI("https://example.com/path?q=hello world")
// "https://example.com/path?q=hello%20world"
// ✅ URL structure preserved

encodeURIComponent()

Encodes a URI component (like a query parameter value). It encodes everything except: A-Z a-z 0-9 - _ . ~ ! ' ( ) *

encodeURIComponent("hello world&foo=bar")
// "hello%20world%26foo%3Dbar"
// ✅ All special chars encoded — safe as a parameter value

Rule of thumb: Use encodeURIComponent() for parameter values. Use encodeURI() for complete URLs. Never use escape() — it's deprecated and handles Unicode incorrectly.

URL Encoding in Different Languages

// JavaScript
encodeURIComponent("hello world")  // "hello%20world"
decodeURIComponent("hello%20world")  // "hello world"

# Python
from urllib.parse import quote, unquote
quote("hello world")    # "hello%20world"
unquote("hello%20world")  # "hello world"

# PHP
urlencode("hello world")    // "hello+world"
rawurlencode("hello world") // "hello%20world"

// Java
URLEncoder.encode("hello world", "UTF-8")  // "hello+world"
URLDecoder.decode("hello+world", "UTF-8")  // "hello world"

# CLI
python3 -c "from urllib.parse import quote; print(quote('hello world'))"

Note the inconsistency: some functions encode spaces as %20, others as +. Both are valid in query strings (+ for spaces is the application/x-www-form-urlencoded convention), but %20 is more universally correct.

Common URL Encoding Mistakes

• Double encoding: Encoding an already-encoded URL turns %20 into %2520. Always decode first if unsure.
• Encoding the entire URL: If you encode https:// you get https%3A%2F%2F — a broken URL. Only encode the parts that contain user data.
• Forgetting to encode: Passing unencoded user input into URLs is a security risk (injection attacks) and a bug source.
• Using the wrong function: encodeURI vs encodeURIComponent — they encode different character sets.
• Ignoring Unicode: Non-ASCII characters must be UTF-8 encoded before percent-encoding. Most modern functions handle this, but legacy code might not.

URL Encoding and Security

Improper URL encoding is a common attack vector:

• URL injection: Unencoded user input can break URL structure, redirecting users or injecting parameters
• Path traversal: Encoded sequences like %2e%2e%2f (../) can be used to access files outside the intended directory
• XSS via URLs: Malicious JavaScript can be injected through unencoded URL parameters

Always encode user-provided data before inserting it into URLs, and always validate/sanitize decoded URL parameters on the server side.

Debugging URL Issues

When something goes wrong with a URL:

1. Paste the URL into our URL decoder to see the decoded version and parsed query parameters
2. Check for double encoding — look for %25 sequences, which indicate a % was encoded
3. Verify parameter boundaries — unencoded & and = in values will break query string parsing
4. Test with special characters — spaces, ampersands, equals signs, unicode characters