
How to Encode and Decode URLs Correctly
URLs cannot contain spaces, non-ASCII characters, or reserved symbols like ampersands and question marks β unless they are properly encoded. URL encoding (also called percent-encoding) replaces unsafe characters with a percent sign followed by two hex digits. Getting encoding right prevents broken links, 404 errors, and security vulnerabilities.
What gets encoded and why
Spaces become %20 (or + in query strings). The ampersand becomes %26 because an unencoded ampersand would be interpreted as a new query parameter separator. The ToolStand URL Encoder and Decoder handles all these rules. Paste any text and click Encode to get a URL-safe string, or paste an encoded URL and click Decode to see the original.
Common use cases
Query parameters with special characters. If a user searches for "AT&T earnings," the ampersand must be encoded as %26 or the URL breaks. Non-ASCII characters. URLs with Chinese, Arabic, or emoji characters must be percent-encoded for compatibility. Dynamic link generation. When you build URLs programmatically, always encode user-supplied values before inserting them into query strings to prevent injection attacks.
Encoding vs. decoding: when to use each
Encode before sending a URL: when building links, creating API requests, or sharing URLs that contain user data. Decode when receiving a URL: when parsing incoming requests, reading query parameters from logs, or trying to understand what a garbled URL actually contains. The bidirectional converter makes both operations equally fast.
encodeURI vs. encodeURIComponent β the JavaScript trap that breaks URLs
JavaScript provides two URL-encoding functions, and confusing them is a common source of bugs. encodeURI() encodes everything except: A-Z a-z 0-9 ; , / ? : @ & = + $ - _ . ! ~ * ' ( ) #. It keeps URL structure characters intact β suitable for encoding a full URL. encodeURIComponent() encodes everything except: A-Z a-z 0-9 - _ . ! ~ * ' ( ). It encodes / ? & = # and other structural characters. Use encodeURIComponent() for query parameter values, path segments, and fragment identifiers. The classic mistake: using encodeURI() on a query string value like "AT&T earnings" β the ampersand passes through unencoded, splitting the query into two parameters. The URL Encoder always applies component-level encoding, which is the safer default for query parameters, path segments, and form data.
Double-encoding and the percent-sign paradox
Double-encoding happens when an already-encoded string is encoded again. %20 (a space) becomes %2520 because the % itself gets encoded as %25. This produces broken URLs where the server sees a literal %20 instead of a space. Double-encoding is hard to spot because the URL looks "encoded" β just overly so. Common causes: (1) frameworks that auto-encode query parameters, then the developer encodes a second time; (2) proxy servers that re-encode URLs; (3) copy-pasting encoded URLs into tools that encode again. The decoder reveals double-encoding: if decoding produces %20 instead of a space, decode once more. The URL Encoder shows the encoded and decoded versions side by side, so you can verify the result before using it.
URL fragment encoding β hashtags, anchors, and SPAs
The fragment identifier (everything after #) is never sent to the server β it stays in the browser for client-side routing. In single-page applications (SPAs), the fragment often contains application state: example.com/app#/user/123?tab=profile. But fragments still need encoding for special characters. The fragment #section 2 must become #section%202 to avoid breaking the URL. The URL Encoder handles fragments correctly: encode the portion after # separately from the path and query string. In JavaScript, use encodeURIComponent() on fragment values; in HTTP servers, fragment encoding is a non-issue because fragments never reach the server.
Internationalized URLs β non-ASCII characters and Punycode
URLs with non-ASCII characters (Chinese, Arabic, Cyrillic, emoji) require two transformations: Punycode for the domain and percent-encoding for the path. The domain mΓΌnchen.de becomes xn--mnchen-3ya.de in Punycode. The path /ζ±δΊ¬ becomes /%E6%9D%B1%E4%BA%AC in percent-encoding. Modern browsers display the decoded version in the address bar but use the encoded version over the wire. The encoder handles both transformations: paste a URL with Unicode characters and it produces the browser-safe, encoded version. This is essential for API clients, crawlers, and any system that processes URLs programmatically.
URL encoding for security β preventing injection attacks
URL encoding is a defense-in-depth mechanism, not a security feature on its own β but using it incorrectly creates vulnerabilities. CRLF injection: unencoded %0D%0A (carriage return + line feed) in a URL can inject HTTP headers in vulnerable proxies. Open redirect: unencoded redirect URLs in query parameters can lead users to phishing sites if the server does not validate the target. SQL injection via URL: if a URL parameter is decoded and passed to a database query without parameterization, encoding does not prevent the attack β use prepared statements. The encoder ensures your URLs are structurally valid, but security still requires server-side validation, parameterized queries, and redirect allowlists.
Frequently Asked Questions
What is the difference between URL encoding and HTML encoding?
URL encoding (percent-encoding) replaces unsafe characters with %XX hex codes for use in URLs. HTML encoding replaces <, >, &, and similar characters with named entities or numeric codes for safe display in HTML. They serve different purposes: URL encoding makes strings safe for HTTP transmission; HTML encoding prevents XSS and markup injection. The URL Encoder handles URL encoding; use the HTML Entity Encoder for HTML-safe output.
Does URL encoding affect SEO?
Properly encoded URLs (especially non-ASCII and special characters) are crawled and indexed normally by Google. However, avoid generating URLs with unnecessary encoded characters β clean, readable URLs with hyphens for word separation perform better in search results. If your CMS produces encoded URLs (like /post/%C3%BCber-uns), configure it to use transliterated slugs (/post/ueber-uns) instead.
How do I encode a full URL vs. a query parameter value?
Encode the full URL for safe transmission: spaces become %20. Encode individual query parameter values with a stricter encoder that also escapes &, =, and ?. In JavaScript, encodeURI(url) for the full URL, encodeURIComponent(value) for parameter values. The URL Encoder applies component-level encoding by default, which is safe for parameter values, paths, and fragments.
What does "application/x-www-form-urlencoded" mean?
It is the MIME type for HTML form data submitted via POST. In this format, spaces become + (not %20), line breaks become %0D%0A, and each key-value pair is separated by &. Most URL encoders produce percent-encoding (%20) rather than form-encoding (+). Check your API requirements: some older endpoints expect form-encoded bodies with + for spaces.
Why does my browser show readable URLs while the encoded version has %20 codes?
Modern browsers decode URLs for display in the address bar. Copy the URL from the address bar and paste it into a text editor β you'll see the decoded version. Inspect the raw HTTP request (DevTools > Network) to see the actual encoded URL sent over the wire. The URL Encoder shows both versions side by side, bridging the gap between what you see and what the server receives.
Explore all 109 free tools at toolstand.io. Free, forever. No sign-up. No download. Just tools that work.