UTILITY GUIDE

URL Encode/Decode: Guide to URL Percent-Encoding

How URL encoding works, why URLs must be encoded, and how to correctly handle special characters and Unicode.

Percent-encoding: making URLs safe

URLs (Uniform Resource Locators) can only contain a subset of ASCII characters. Characters such as spaces, &, =, #, ? and all Unicode characters (accented letters, ideograms, emoji) cannot appear directly in a URL because they have special meanings or are not supported. Percent-encoding (defined in RFC 3986) solves this problem by replacing each unsafe character with % followed by its hexadecimal code: space becomes %20, & becomes %26, e with accent becomes %C3%A9.

Our URL Encode/Decode handles encoding and decoding in both directions, correctly supporting UTF-8, double encoding, and the differences between path encoding and query string encoding. It is an essential tool for web developers working with APIs, search parameters, and any scenario where user data ends up in a URL.

When and what to encode

URL encoding examples
# Spazi
"ciao mondo" → "ciao%20mondo"     (path)
"ciao mondo" → "ciao+mondo"       (form data)

# Caratteri riservati
"a=1&b=2"  → "a%3D1%26b%3D2"     (se sono dati, non delimitatori)

# Unicode / caratteri accentati
"città"    → "citt%C3%A0"

# URL completo - codifica solo i valori!
https://api.esempio.com/search?q=ciao%20mondo&lang=it
#                                  ^^^^^^^^^^^^^^^^
#                            solo il valore è codificato

The fundamental rule: encode values, not the URL structure. Characters that make up the structure (://?&=#) should not be encoded when they act as delimiters. They should only be encoded when they appear in data. For example, if the search parameter is "a=b", the & in the URL is a delimiter (not encoded), but the = in the value must be encoded: ?search=a%3Db. Encoding errors are among the most common bugs in web applications.

Security and URL encoding

URL encoding is fundamental to web security. URL parameter injection is an attack vector: unencoded input can modify the URL structure, add unintended parameters, or cause unexpected behavior. All modern web frameworks automatically encode URL parameters, but when you build URLs manually (in API clients, scripts, redirects), correct encoding is the developer's responsibility.

For other types of encoding used in web development, our Base64 Encode/Decode handles binary-to-text encoding for JWTs, data URIs and email attachments. For data pattern validation, the Regex Tester allows testing regular expressions in real time. And for the security of connections over which these URLs travel, always verify that your site uses HTTPS with SSL Check — URL parameters are visible in unencrypted HTTP traffic.

An insidious case is double encoding: when already encoded data is encoded a second time, %20 becomes %2520 (the % is encoded as %25). The result is a URL that doesn't work because the server decodes only once and gets %20 as literal data instead of a space. Our tool detects and correctly handles double encoding during decoding, but prevention is better: encode data only once, at the time of URL construction.

Try URL Encode/Decode for free
Encode and decode URLs with special characters
Use URL Encode/Decode >

Explore the Network

capops.io Free tools for DevOps & SysAdmin — monitoring, deploy, CI/CD, server management and more Visit → pixcode.io Free graphic tools — image converter, color palette generator, SVG optimizer and more Visit →