URL Encode / Decode
Percent-encode text for safe use in URLs, or decode %xx sequences back.
Updated: June 26, 2026
What is URL encoding?
URL encoding — also called percent-encoding — replaces characters that are
unsafe or reserved in a URL with a % followed by their
hexadecimal byte value. For example a space becomes %20 and an
ampersand becomes %26. This keeps query strings, path segments
and form data from breaking the structure of a URL.
encodeURIComponent vs encodeURI
There are two levels of encoding, and picking the wrong one is a frequent source of bugs:
-
Component mode (
encodeURIComponent) encodes everything that isn't unreserved, including/ ? : @ & = + $ #. Use it for a single piece of data going into one query parameter or path segment. -
Full-URI mode (
encodeURI) leaves the characters that form a valid URL intact, so it won't break://,?or&. Use it when encoding an entire URL that is already structured.
Rule of thumb: if you are building a query string from values, encode each
value with component mode, then join them with & and
= yourself.
Examples
hello world→hello%20worlda=b&c=d→a%3Db%26c%3Dd(component mode)café/münchen→caf%C3%A9%2Fm%C3%BCnchen
Notice that non-ASCII characters are encoded as their UTF-8 bytes — a single
é becomes two percent-escapes (%C3%A9).
Common pitfalls
Double-encoding is the classic mistake: encoding a value that was already
encoded turns %20 into %2520. If you see stray
%25 sequences in your URLs, something encoded the same value
twice. Decoding malformed input (an incomplete % sequence) also
fails — this tool reports that instead of silently corrupting data.
Encoding is not escaping for HTML or SQL
URL encoding only makes text safe for URLs. It does not protect against XSS (use HTML escaping) or SQL injection (use parameterized queries). Reserved characters that are dangerous in those contexts need their own escaping — don't rely on percent-encoding as a security control.
Frequently asked questions
When should I use encodeURIComponent vs encodeURI?
Use encodeURIComponent (component mode) for a single value going into a query parameter or path segment — it encodes reserved characters like & = ? /. Use encodeURI (full-URI mode) only when encoding a whole, already-structured URL.
Why is a space sometimes %20 and sometimes +?
Percent-encoding uses %20 for spaces. The + sign for spaces is a separate convention specific to application/x-www-form-urlencoded form bodies. In modern URLs, %20 is the safe choice.
What is double-encoding?
Double-encoding happens when you encode an already-encoded value, turning %20 into %2520. It usually means two layers of code each encoded the same string. Decode once to check before encoding again.
Does URL encoding protect against injection attacks?
No. URL encoding only makes text safe inside a URL. It does not prevent XSS or SQL injection — those need HTML escaping and parameterized queries respectively.
API & web debugging tools
When wrangling query strings and redirects all day, these help you debug faster:
- API client / HTTP inspector Build and replay requests with correctly encoded parameters and inspect exactly what the server receives.
- CDN / edge platform Handle redirects, rewrites and query-string normalization at the edge instead of in application code.
Related tools
- Base64 Encode / DecodeConvert text to Base64 and back, with full Unicode (UTF-8) support.
- JWT Decoder & ValidatorDecode a JWT's header and payload, inspect its claims, and verify an HS256 signature.
- HMAC Generator (SHA-1, SHA-256, SHA-512)Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
- Hash Generator (MD5, SHA-1, SHA-256, SHA-512)Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from any text.