๐ Crypto & Encoding
URL Encoding Explained (Percent-Encoding)
By Justin Le
ยท 6 min read ยท Updated June 27, 2026
You've seen %20 in URLs and maybe wondered why a space turns into that.
That's URL encoding, and understanding it โ especially the two "levels" of it โ saves
you from a surprising number of bugs.
What is URL encoding?
URL encoding, also called percent-encoding, replaces characters that
are unsafe or have special meaning in a URL with a % followed by their
hexadecimal byte value. A space becomes %20, an ampersand becomes
%26, and so on. This keeps query strings, path segments and form data from
breaking the structure of the URL they live in.
Why it's needed
URLs have a defined grammar. Characters like ?, &,
=, / and # are reserved โ they separate
the parts of a URL. If a value you're putting into a query string happens to contain one
of them, it would be misread as structure. Encoding turns those characters into a form
that's safely carried as data instead.
The two levels: encodeURI vs encodeURIComponent
This is where most bugs come from. There are two encoding functions, and they encode different sets of characters:
-
Component encoding (
encodeURIComponent) encodes everything that isn't unreserved โ including/ ? : @ & = + $ #. Use it for a single value going into one query parameter or path segment. -
Full-URI encoding (
encodeURI) leaves the characters that form a valid URL intact, so it won't break://,?or&. Use it only when encoding a whole, already-structured URL.
Rule of thumb: when building a query string from values, encode each value with
component encoding, then join them with & and = yourself.
Non-ASCII characters
Characters outside ASCII are encoded as their UTF-8 bytes, so a single รฉ
becomes two percent-escapes (%C3%A9) and an emoji becomes four. That's
expected โ each byte gets its own %xx.
The double-encoding trap
Encoding a value that's already encoded is a classic mistake: %20
becomes %2520 (because the % itself gets encoded to
%25). If you see stray %25 sequences in your URLs, something
encoded the same value twice. Decode once to check before encoding again.
Encoding is not escaping for HTML or SQL
URL encoding only makes text safe inside a URL. It does not protect against XSS (use HTML escaping) or SQL injection (use parameterised queries). Don't rely on percent-encoding as a security control โ it solves a formatting problem, not an injection one.
Try it
Encode and decode in both modes with our URL encoder/decoder โ toggle component mode to see the difference. To inspect the raw bytes behind a character, the hex โ text converter is handy, and for redirects see the 301 vs 302 guide.
Frequently asked questions
Why is a space encoded as %20?
Percent-encoding replaces unsafe characters with % plus their hex byte value. A space is byte 0x20, so it becomes %20. (In form bodies a space may also appear as +, a separate convention.)
When should I use encodeURIComponent vs encodeURI?
Use encodeURIComponent for a single value going into a query parameter or path segment โ it encodes reserved characters like & = ? /. Use encodeURI only when encoding a whole, already-structured URL.
What is double-encoding?
Encoding an already-encoded value, which turns %20 into %2520. It usually means two layers of code each encoded the same string. Decode once to check before encoding again.
Try the related tools
- URL Encode / Decode Percent-encode text for safe use in URLs, or decode %xx sequences back.
- Hex โ Text Converter Convert text to hexadecimal and decode hex back to text, with UTF-8 support.
- .htaccess & nginx Redirect Generator Turn a list of old โ new URLs into Apache .htaccess and nginx redirect rules.
Related guides
- What Is Base64 Encoding? (And Why It's Not Encryption) Base64 turns binary data into safe text โ but it is not encryption. Here's how it works, why it grows your data by a third, and when to reach for it.
- 301 vs 302 Redirects: Which to Use (and Why It Matters for SEO) 301 or 302? The wrong choice can quietly tank your SEO. Here's what each redirect means, when to use it, and the chain mistakes to avoid.
- What Is a JWT and How Does It Work? How JSON Web Tokens really work โ the header, payload and signature, what signing proves, and the security mistakes that bite teams.