URL Encoder / Decoder
Encode special characters in URLs or decode percent-encoded URL strings. Handle query parameters safely.
encodeURIComponent / decodeURIComponent — encodes all special characters
How to Use the URL Encoder / Decoder
- Paste the URL or text you want to encode or decode into the input field.
- Choose Encode to convert special characters to percent-encoded format, or Decode to convert back.
- The result is generated instantly in your browser with no server requests.
- Copy the encoded or decoded output for use in your application.
What is URL Encoding (Percent Encoding)?
URL encoding, also known as percent encoding, is a mechanism for encoding special characters in URLs as defined by RFC 3986. Characters that are not allowed in URLs or have special meaning (such as spaces, &, =, ?, #) are replaced with a percent sign followed by their hexadecimal ASCII value. For example, a space becomes %20 and an ampersand becomes %26. Proper URL encoding is critical for web security and correct application behavior. When building query strings, failing to encode user input can lead to parameter injection, where an attacker crafts input that adds or modifies URL parameters. In the context of web security, improper URL encoding is frequently exploited in open redirect vulnerabilities, Server-Side Request Forgery (SSRF) attacks, and various injection techniques. Developers working with APIs must ensure that parameter values are properly encoded before being included in request URLs. Double encoding (encoding an already encoded string) is a common bug that can cause issues. In penetration testing, URL encoding and double encoding are standard techniques for bypassing web application firewalls and input filters that do not properly handle encoded input.
Frequently Asked Questions
Any character outside the unreserved set (A-Z, a-z, 0-9, -, _, ., ~) should be encoded when used in a URL component. Reserved characters like :, /, ?, #, &, and = have special meaning in URLs and must be percent-encoded when used as data rather than delimiters.
In JavaScript, encodeURI encodes a full URI while preserving characters that are valid URL delimiters (://?#&=). encodeURIComponent encodes everything except unreserved characters, making it suitable for encoding individual parameter values. Using encodeURI on a query parameter value can leave injection-prone characters unencoded.
Improper URL encoding can lead to serious vulnerabilities. Attackers exploit insufficient encoding to inject additional parameters, bypass WAF rules using double encoding, craft open redirect payloads, and execute SSRF attacks. Always encode user-supplied data before including it in URLs, and decode it properly on the server side.