URL Encode Decode Tool
Encode special characters for URLs or decode percent-encoded URL strings. Enter values for instant results with step-by-step formulas.
Formula
Character -> UTF-8 bytes -> %XX per byte
URL encoding converts each unsafe character to its UTF-8 byte representation, then represents each byte as a percent sign followed by two hexadecimal digits. For example, a space (byte 0x20) becomes %20, and a multi-byte Unicode character produces multiple %XX sequences.
Worked Examples
Example 1: Encoding a URL with Query Parameters
Problem: Encode the URL: https://example.com/search?q=hello world&category=books & media
Solution: Using encodeURI (preserve URL structure):\nhttps://example.com/search?q=hello%20world&category=books%20&%20media\nNote: & is preserved as URL delimiter\n\nUsing encodeURIComponent (for parameter values only):\nq = hello%20world\ncategory = books%20%26%20media\nNote: & in 'books & media' is encoded to %26\n\nFull reconstructed URL:\nhttps://example.com/search?q=hello%20world&category=books%20%26%20media
Result: Space -> %20 | & in value -> %26 | URL structure preserved correctly
Example 2: Decoding a Complex Percent-Encoded URL
Problem: Decode: https://api.example.com/v2/users?name=Fran%C3%A7ois%20M%C3%BCller&city=Z%C3%BCrich
Solution: Percent-encoded sequences:\n%C3%A7 -> UTF-8 bytes C3 A7 -> Unicode U+00E7 -> character: c with cedilla\n%20 -> space\n%C3%BC -> UTF-8 bytes C3 BC -> Unicode U+00FC -> character: u with umlaut\n\nDecoded parameters:\nname = Francois Muller (with proper diacritics)\ncity = Zurich (with u-umlaut)\n\nFull decoded URL:\nhttps://api.example.com/v2/users?name=Francois Muller&city=Zurich
Result: Decoded: name=Francois Muller, city=Zurich | 3 Unicode chars decoded
Frequently Asked Questions
What is URL encoding and why is it necessary?
URL encoding, also called percent-encoding, is the process of converting characters that are not allowed or have special meaning in URLs into a safe format using percent signs followed by hexadecimal values. URLs can only contain a limited set of characters from the ASCII character set, and certain characters like spaces, ampersands, question marks, and hash symbols have reserved meanings as delimiters within the URL structure. Without encoding, a search query containing an ampersand would be misinterpreted as a parameter separator, breaking the URL parsing. For example, a space becomes %20, an ampersand becomes %26, and a question mark becomes %3F. This ensures that user input and data values are transmitted correctly without interfering with the URL structure itself.
What are common mistakes when working with URL encoding?
The most frequent mistake is double-encoding, where an already-encoded string gets encoded again, turning %20 into %2520 (the percent sign itself gets encoded). This happens when code applies encoding without checking if the string is already encoded. Another common error is using encodeURI when encodeURIComponent is needed, which fails to encode ampersands and equals signs in query values, breaking parameter parsing. Forgetting to encode plus signs in query strings is problematic because HTML forms encode spaces as plus signs per the application/x-www-form-urlencoded specification, but this is different from standard percent-encoding where spaces are %20. Developers also frequently forget to decode URL parameters on the server side, storing encoded data in databases. Using manual string replacement instead of proper encoding functions leads to missed edge cases.
How do different programming languages handle URL encoding?
Each programming language provides its own URL encoding functions with subtle differences. JavaScript offers encodeURIComponent for component encoding and encodeURI for full URLs. Python has urllib.parse.quote for percent-encoding and urllib.parse.urlencode for form data encoding. PHP provides urlencode (which encodes spaces as plus signs) and rawurlencode (which uses %20 for spaces per RFC 3986). Java offers URLEncoder.encode which follows form encoding conventions with spaces as plus signs. Ruby uses ERB::Util.url_encode and CGI.escape with different behaviors for reserved characters. These differences can cause interoperability issues when systems written in different languages communicate, making it important to explicitly choose between RFC 3986 percent-encoding and form-data encoding based on your specific use case.
Can URL encoding cause security vulnerabilities?
Yes, improper URL encoding and decoding is the root cause of several web security vulnerabilities. Path traversal attacks use encoded sequences like %2e%2e%2f (which decodes to ../) to escape intended directory structures and access unauthorized files on the server. Double encoding attacks exploit applications that decode URLs multiple times, where %252e%252e%252f first decodes to %2e%2e%2f and then to ../, bypassing security filters that only check for the decoded form. Cross-site scripting (XSS) attacks can use URL encoding to smuggle malicious JavaScript through input validation that does not properly decode before checking. SQL injection payloads can be URL-encoded to bypass web application firewalls. The defense involves properly decoding all input before validation, using parameterized queries, and implementing allowlist-based input validation rather than blocklist approaches.
What is the maximum length of a URL and how does encoding affect it?
While the HTTP specification does not define a maximum URL length, practical limits exist across browsers and servers. Internet Explorer historically limited URLs to 2,083 characters, and while modern browsers support much longer URLs (Chrome and Firefox handle over 60,000 characters), many web servers and proxies enforce limits between 2,048 and 8,192 characters. URL encoding significantly impacts effective URL length because each encoded character expands from 1 character to 3 characters (%XX format), and multi-byte Unicode characters can expand to 9 or more characters. A Chinese character that is 3 UTF-8 bytes becomes 9 characters when percent-encoded (%E4%B8%AD). This means a query string with internationalized content can quickly exceed URL length limits. For large data payloads, POST requests with the data in the request body are preferred over GET requests with encoded query parameters.
Can I use URL Encode Decode Tool on a mobile device?
Yes. All calculators on NovaCalculator are fully responsive and work on smartphones, tablets, and desktops. The layout adapts automatically to your screen size.