URL Encoding
DataDefinition
URL encoding (percent-encoding) converts characters that are not allowed in URLs into a safe format by replacing them with a % followed by two hexadecimal digits. Spaces become %20 or +, special characters like & and = are encoded when used in query parameters.
Percent-Encoding Reference
URL encoding replaces each unsafe character with % followed by its ASCII hex value. Common encodings: space → %20 (or + in form data), ! → %21, # → %23, $ → %24, % → %25, & → %26, ' → %27, ( → %28, ) → %29, * → %2A, + → %2B, , → %2C, / → %2F, : → %3A, ; → %3B, = → %3D, ? → %3F, @ → %40, [ → %5B, ] → %5D. Unreserved characters (A-Z, a-z, 0-9, -, _, ., ~) are never encoded. Reserved characters (! # $ & ' ( ) * + , / : ; = ? @ [ ]) have special meaning in URLs and must be encoded when used as literal values in query parameters. RFC 3986 defines which characters are safe in which URL components. Different rules apply to paths versus query strings versus fragments, so encoding requirements vary depending on where in the URL a value appears.
encodeURI vs encodeURIComponent in JavaScript
encodeURI() in JavaScript encodes a complete URL, preserving structural characters (: / ? # & = @ ! $ ' ( ) * + , ;). Use it when you have a full URL and want to make it safe for transmission. encodeURIComponent() encodes a URL component, meaning a single key or value in a query string, and encodes all reserved characters including / : ? & = #. Use it for individual query parameter values. Example: const url = 'https://example.com/search?' + encodeURIComponent('q') + '=' + encodeURIComponent('C# language'); In Python: urllib.parse.quote(string, safe='') for component encoding, or urllib.parse.urlencode(dict) for full query strings. Do not double-encode: encoding an already-encoded string produces %2525 instead of %25, which causes broken behavior that is difficult to debug.
URL Encoding in Practice
HTML forms submit data as application/x-www-form-urlencoded where spaces become + and other characters become %XX. Modern APIs use percent-encoding (spaces as %20) rather than + for spaces, following RFC 3986 more strictly. Paths in URLs can contain %2F (encoded slash), which some servers treat as a literal slash character in path traversal checks. Always validate decoded paths on the server to prevent directory traversal attacks. Internationalized domain names (IDN) use Punycode for the host rather than percent-encoding: münchen.de becomes xn--mnchen-3ya.de in DNS. URL encoding is not encryption. It is reversible by anyone who decodes the string. Never use URL encoding to hide sensitive data; use proper encryption for that purpose. Canonical URL comparison requires decoding and re-encoding consistently because case matters in strict comparisons (%2F and %2f both represent / but are not identical strings).
Related Tools
Frequently Asked Questions
Related Terms
Base64
Base64 is a binary-to-text encoding scheme that represents binary data using 64 printable ASCII characters (A-Z, a-z, 0-9, +, /). It increases data size by ~33% but allows binary data to be safely transmitted over text-only channels like email and URLs.
UTF-8
UTF-8 is a variable-length character encoding for Unicode. It represents each character using 1 to 4 bytes and is the dominant encoding on the web (used by ~98% of websites). UTF-8 is backward compatible with ASCII; the first 128 characters use one byte each.
ASCII
ASCII (American Standard Code for Information Interchange) is a character encoding standard that assigns numbers 0-127 to characters: 0-31 are control characters, 32-127 are printable characters (letters, digits, punctuation). ASCII is the basis for UTF-8 and most modern text encodings.
Unicode
Unicode is a universal character set standard that assigns a unique code point (number) to every character in every writing system, including emoji and symbols. The Unicode Standard covers over 149,000 characters across 161 scripts. UTF-8, UTF-16, and UTF-32 are encodings of Unicode.