URL Encoder/Decoder

Our URL encoder decoder converts URLs and text to percent-encoded format and back in real-time. Encode special characters, query parameters, path segments, and Unicode text for safe use in URLs. Decode percent-encoded strings back to readable text. Supports RFC 3986 standard encoding, component encoding, and full URL encoding with UTF-8 support. All processing is client-side — your data never leaves your browser.

star 4.9
auto_awesome AI
New

URL Encoder calculator

Method:
0 characters 0 bytes
0 characters

lightbulb Tips

  • Use encodeURIComponent for query values
  • Spaces → %20 (standard) or + (form data)
  • A-Z a-z 0-9 - _ . ~ are never encoded
  • Always encode user input before URLs

How to Use the URL Encoder

swap_horiz

Choose Mode

Select Encode to convert text to URL encoding, or Decode to convert percent-encoded text back.

tune

Select Method

Choose Component (for query values), URI (for full URLs), or Form Data (+ for spaces).

text_fields

Enter Input

Type or paste your text (for encoding) or encoded URL (for decoding).

content_copy

Get Result

The result appears instantly. Click Copy to copy to clipboard.

The Formula

URL encoding (percent encoding) replaces unsafe or reserved characters with a percent sign (%) followed by two hexadecimal digits representing the character's byte value. For example, a space becomes %20, and '&' becomes %26. UTF-8 characters use multiple percent-encoded bytes (e.g., '€' → %E2%82%AC). Unreserved characters (letters, digits, -, _, ., ~) are never encoded.

URL Encoding = replace unsafe characters → %HH (hex byte value)

lightbulb Variables Explained

  • %HH Percent sign followed by two hexadecimal digits representing the byte value
  • Unreserved chars A-Z a-z 0-9 - _ . ~ (never encoded)
  • Reserved chars : / ? # [ ] @ ! $ & ' ( ) * + , ; = (encoded in components)
  • UTF-8 Multi-byte characters encoded as multiple %HH sequences

tips_and_updates Pro Tips

1

Use encodeURIComponent for query parameter values — it encodes everything except A-Z a-z 0-9 - _ . ~

2

Use encodeURI for full URLs — it preserves :, /, ?, #, &, = and other URL structure characters

3

Spaces can be encoded as %20 (standard) or + (form data / application/x-www-form-urlencoded)

4

Always encode user input before inserting into URLs to prevent injection attacks

5

UTF-8 characters like emojis get encoded as multiple %HH bytes (e.g., 😀 → %F0%9F%98%80)

6

Double-encoding happens when you encode an already-encoded string — decode first if unsure

7

RFC 3986 defines the standard: unreserved characters (A-Z a-z 0-9 - _ . ~) are never encoded

Our free URL encoder decoder converts text to percent-encoded format and back instantly. Encode query parameters, path segments, and special characters for safe URL usage. Decode percent-encoded strings back to readable text. Supports UTF-8 and all Unicode characters.

URL Encoder - Text to Percent Encoding

Convert any text to URL-safe percent encoding instantly. Our encoder handles spaces, special characters, Unicode, and emojis.

Choose between:

  • component encoding (for query values)
  • URI encoding (preserving URL structure)
  • form data encoding (+ for spaces)

URL Decoder - Percent Encoding to Text

Decode any percent-encoded URL back to readable text. Paste encoded URLs, query strings, or individual parameters and see the original text instantly.

Handles:

  • %HH sequences
  • plus-as-space
  • multi-byte UTF-8 characters

How Does URL Encoding (Percent Encoding) Work?

URL encoding works by replacing any character that is unsafe or reserved in a URL with a percent sign followed by two hexadecimal digits representing that character's byte value, a scheme formally defined in RFC 3986 by the IETF.

A space becomes %20, an ampersand becomes %26, and a slash becomes %2F. Non-ASCII characters are first converted to their UTF-8 byte sequence, then each byte is percent-encoded, so the letter 'é' becomes %C3%A9.

According to MDN Web Docs, browsers apply this automatically through functions like encodeURIComponent. Only unreserved characters (A-Z, a-z, 0-9, hyphen, underscore, period, tilde) are left untouched.

What Is the Difference Between encodeURI and encodeURIComponent?

encodeURI encodes a complete URL while preserving reserved structural characters, whereas encodeURIComponent encodes a single component and escapes those structural characters too.

As documented by MDN Web Docs, encodeURI leaves :, /, ?, #, &, and = intact so a whole address stays functional, making it right for full URLs. encodeURIComponent escapes everything except the RFC 3986 unreserved set, so it is the correct choice for query-parameter values, path segments, or fragment text that might contain reserved characters.

Using encodeURI where encodeURIComponent is needed is a common bug: an unencoded & inside a value will be misread as a parameter separator, silently corrupting the request.

Which Characters Are Reserved vs Unreserved in a URL?

RFC 3986 divides URL characters into unreserved and reserved sets, and this distinction determines what gets percent-encoded.

  • Unreserved characters are the letters A-Z and a-z, digits 0-9, and the four marks hyphen, underscore, period, and tilde; these never require encoding.
  • Reserved characters include the general delimiters : / ? # [ ] @ and the sub-delimiters ! $ & ' ( ) * + , ; = which carry syntactic meaning.

Per the IETF specification, reserved characters may appear unencoded when serving their delimiter role but must be percent-encoded when used literally inside a component. Everything outside both sets, including spaces and Unicode, should always be encoded.

Why Do URLs Use %20 for Spaces?

URLs use %20 for spaces because the space character is not allowed to appear literally in a URI under RFC 3986, so it is percent-encoded to its ASCII byte value, hex 20.

There is a second convention: in application/x-www-form-urlencoded data, the format used by HTML form submissions and many query strings, a space is encoded as a plus sign (+) rather than %20, as specified by the WHATWG URL Standard and W3C form specifications.

This is why decoders must know their context. %20 is universally safe in the path, query, and fragment, while + only means space inside form-encoded query data and is a literal plus elsewhere.

How Does URL Encoding Handle Unicode and Emojis?

URL encoding handles Unicode by first converting each character to its UTF-8 byte sequence and then percent-encoding every individual byte. The Unicode Consortium defines the code points, and UTF-8 (specified in RFC 3629) maps them to one to four bytes.

For example:

  • A single-byte ASCII character like 'A' stays as 'A'
  • 'é' encodes to %C3%A9
  • the CJK character '日' becomes %E6%97%A5
  • an emoji such as 😀 encodes to four bytes, %F0%9F%98%80

MDN Web Docs notes that JavaScript's encodeURIComponent operates on UTF-8 by default. Decoders reverse this by collecting the percent-encoded bytes and reinterpreting them as a UTF-8 stream to recover the original text.

What Is Double Encoding and How Do You Avoid It?

Double encoding happens when an already percent-encoded string is encoded again, turning each % into %25 so that %20 becomes %2520 and the value can no longer be read correctly.

This is a frequent source of broken links and, per OWASP, a security concern because attackers use double encoding to slip malicious input past filters that decode only once.

To avoid it, encode a value exactly one time at the point where it enters the URL, and never re-encode data that came from another encoded source. If you are unsure whether a string is already encoded, decode it first; if the output changes and looks readable, it was encoded, and you should not encode it again.

Is URL Encoding Secure? Encoding vs Encryption

URL encoding is not secure and provides no confidentiality; it is a reversible transformation for transport safety, not encryption. Anyone can decode a percent-encoded string instantly, so sensitive data placed in a URL remains fully readable and, as OWASP warns, is also exposed in browser history, server logs, and Referer headers.

Encoding only ensures special characters do not break URL syntax. Encryption, by contrast, uses a key and algorithms like AES (standardized by NIST) to make data unreadable without that key.

The correct security use of encoding is combined with proper output escaping to prevent injection attacks; never treat it as a way to hide or protect information.

How Do You Encode Query Strings and URL Parameters Correctly?

To encode a query string correctly, apply encodeURIComponent to each parameter key and value separately before joining them with & and =, rather than encoding the whole assembled string at once.

This ensures that reserved characters inside a value, such as an & or = in user input, are escaped to %26 and %3D so they cannot be mistaken for delimiters, following the application/x-www-form-urlencoded rules described by the WHATWG URL Standard. For example, the value 'hello world&x=1' must become 'hello%20world%26x%3D1'.

According to MDN Web Docs, the URLSearchParams API automates this safely. Always encode user-supplied data before inserting it into a query string to prevent parameter injection and malformed requests.

Common Mistakes When Encoding and Decoding URLs

The most common URL encoding mistake is choosing the wrong function: using encodeURI on a query value leaves &, =, and ? unescaped, letting user input corrupt the URL structure.

Other frequent errors, several flagged by OWASP and MDN Web Docs, include:

  • double encoding a value so %20 becomes %2520
  • forgetting that + means space only in form-encoded data
  • encoding an entire URL after it is built instead of encoding each component beforehand

Developers also mishandle UTF-8 by decoding bytes as Latin-1, which produces mojibake for accented and non-Latin text. Finally, never rely on encoding for security; failing to also escape output for the target context leaves injection vulnerabilities open despite valid percent encoding.

Frequently Asked Questions

sell

Tags