URL Encoder Decoder Online
Free Percent Encoding & URI Escape Tool 2026
Use our free URL encoder decoder online to instantly percent-encode URLs for safe HTTP transmission, or decode %XX strings back to readable text. This online URI encoder supports RFC 3986 standard encoding, component encoding (encodeURIComponent equivalent), double-decode for detecting URL obfuscation, and batch processing. Built as a professional percent encoding tool and URL string escape tool for developers working with query parameters, UTM codes, deep links, and clean URL structures for SEO. Prevents XSS and SQL injection through proper URL sanitization.
Quick Answer: What Is URL Encoding?
URL encoding (percent-encoding) converts unsafe characters to %XX hexadecimal format for safe HTTP transmission. A space becomes %20, & becomes %26. Only ASCII characters A-Z, 0-9, - _ . ~ are safe in URLs (RFC 3986). Our URL encoder decoder online handles full URL encoding, component encoding, double-decode, and batch processing with UTF-8 encoding for emojis and Unicode.
URL Percent Encoder & Decoder
Enter a URL or text to percent-encode or decode %XX strings.
Robert Harrison
OSINT & Network Utility Expert
Robert specializes in URI standards, web security, API development, and network tooling. He helps developers and security teams work safely with URL encoding, percent-encoding, and web application security.
View All ArticlesWhat Is URL Encoding and How Percent-Encoding Works
A URL encoder decoder online converts characters that are unsafe or reserved in URLs into their percent-encoded (%XX) equivalents. URLs can only contain a limited set of ASCII characters: letters A-Z, digits 0-9, and four special characters: hyphen, underscore, dot, and tilde. Everything else — spaces, Unicode, emojis, special symbols — must be percent-encoded for safe HTTP transmission.
The encoding process takes each unsafe character's byte value in hexadecimal, prefixes it with a percent sign (%), and produces a valid URI token. For example, a space (hex 20) becomes %20, an ampersand (hex 26) becomes %26. Multi-byte UTF-8 encoding characters like emojis produce multiple percent-encoded octets: 😊 becomes %F0%9F%98%8A. Our percent encoding tool handles all of this following the RFC 3986 standards.
RFC 3986: The Internet standard for Uniform Resource Identifiers defines two character classes: unreserved (A-Z, a-z, 0-9, - _ . ~) which never need encoding, and reserved (: / ? # [ ] @ ! $ & ' ( ) * + , ; =) which need encoding when used as data, not delimiters.
Why URLs Show %20 Instead of Spaces and How to Decode Them
URLs cannot contain literal spaces. When you type hello world in a URL, the browser automatically encodes the space as %20 (the hex value of the ASCII space character). This is normal percent-encoding behavior defined by RFC 3986.
Some older systems use + instead of %20 for spaces — this comes from the application/x-www-form-urlencoded standard used in HTML form submissions. Our tool supports both: URL Encode uses rawurlencode (strict RFC 3986, space = %20) while Component Encode uses urlencode (form standard, space = +).
// Space encoding: Two standards
RFC 3986: "hello world" → hello%20world
HTML Form: "hello world" → hello+world
// Our URL Decode handles both
hello%20world → "hello world"
hello+world → "hello world" (Component mode)
Use our URL percent decoder to convert any percent-encoded string back to readable text. For domain-level encoding, use our Punycode Converter. Check URL redirect chains with our Headers Analyzer.
Encode URL for SEO: Clean URL Structures and UTM Parameters
Search engines prefer clean URL structures with readable slug optimization. When building SEO-friendly URLs, encode only what is necessary. Keep slugs lowercase with hyphens instead of spaces. Properly encode URL for SEO tracking parameters (UTM codes) to prevent broken analytics.
| Scenario | Bad URL | Good URL |
|---|---|---|
| Page slug | /My Page Title | /my-page-title |
| UTM campaign | ?utm_campaign=Summer Sale! | ?utm_campaign=Summer%20Sale%21 |
| Search query | ?q=shoes & bags | ?q=shoes%20%26%20bags |
| Deep link | ?redirect=app://pay?id=5 | ?redirect=app%3A%2F%2Fpay%3Fid%3D5 |
Verify that encoded URLs resolve correctly with our DNS Lookup. Check SSL certificates with our SSL Checker. Generate secure tokens with our Password Generator.
XSS Prevention and SQL Injection Protection Through URL Encoding
Attackers exploit URL encoding to bypass security filters. A Cross-Site Scripting (XSS) attack might encode <script> as %3Cscript%3E to evade input validation. SQL injection payloads use encoding to hide UNION SELECT as %55NION%20%53ELECT. Our double-decode feature reveals these malicious URL obfuscation attempts.
// Double encoding attack example
Original: ../admin (directory traversal)
Single: %2E%2E%2Fadmin
Double: %252E%252E%252Fadmin ← Bypasses single-decode filters
// Our double-decode reveals the real payload
%252E%252E%252Fadmin → %2E%2E%2Fadmin → ../admin
Security: URL encoding alone does NOT prevent attacks. Always combine with server-side input validation, output encoding, parameterized queries, and Content Security Policy headers. Audit security headers with our Headers Analyzer. Read our IP reputation guide.
encodeURI vs encodeURIComponent: When to Use Each Mode
JavaScript provides two functions with different encoding scopes. Understanding the difference is critical for avoiding broken URLs and security vulnerabilities.
| Feature | encodeURI / URL Encode | encodeURIComponent / Component Encode |
|---|---|---|
| Preserves | : / ? # @ & = + | Nothing — encodes everything |
| Use for | Complete URLs | Query parameter values |
| PHP equiv | rawurlencode() | urlencode() |
| Space | %20 | + |
Our tool provides both modes. Use URL Encode for complete URLs and Component Encode for query parameter values. Encode data alongside URLs with our Base64 Encoder. Format JSON payloads with our JSON Formatter.
Rule: If encoding a full URL, use URL Encode. If encoding a value that goes INSIDE a URL parameter, use Component Encode. Mixing them up is the #1 cause of broken API integrations and Invalid URI format errors.
Developer Code Examples: URL Encoding in JavaScript, Python and PHP
// JavaScript: encodeURIComponent
const encoded = encodeURIComponent('hello world & foo');
// "hello%20world%20%26%20foo"
const decoded = decodeURIComponent(encoded);
// Full URL encoding (preserves structure)
encodeURI('https://example.com/path?q=hello world');
# Python: urllib.parse
from urllib.parse import quote, unquote
encoded = quote('hello world & foo')
# 'hello%20world%20%26%20foo'
decoded = unquote(encoded)
// PHP: rawurlencode / urlencode
$encoded = rawurlencode('hello world & foo');
// "hello%20world%20%26%20foo"
$decoded = rawurldecode($encoded);
// Form encoding (space = +)
$form = urlencode('hello world'); // "hello+world"
Verify code output with our URL encoder decoder online. Hash sensitive data with our Hash Generator. Check IP fraud scores with our IP Fraud Checker.
Encode Deep Links for Mobile Apps and Fix Invalid URI Errors
When embedding deep links (like myapp://screen?id=123) as URL parameters, you must component-encode the entire deep link. Otherwise, the ://, ?, and = in the deep link break the parent URL's structure.
Invalid URI format errors occur when URLs contain unencoded spaces, Unicode characters, or structural characters in wrong positions. Common fixes: encode spaces as %20, encode Unicode to UTF-8 percent sequences, and properly escape query parameters. Our website URL sanitizer handles all of these.
Check mobile browser fingerprints with our Browser Info Tool. Verify email links with our Email Verifier. Read our digital footprint guide.
URL Encoding vs Base64 vs Punycode: Choosing the Right Encoding
- URL Encoding (Percent): For URL paths and query parameters. Converts unsafe chars to
%XX. Use our URL string escape tool. - Base64: For embedding binary data (images, files) in text. Encodes bytes to A-Z, a-z, 0-9, +, /. Use our Base64 Encoder.
- Punycode: For internationalized domain names only. Converts Unicode domains to ASCII
xn--format. Use our Punycode Converter.
Quick Rule: Domain part → Punycode. Path and query → URL encoding. Binary data in text → Base64. Never mix them up.
Redirect Safety: How URL Encoding Affects Link Security
Open redirect vulnerabilities allow attackers to craft URLs on trusted domains that redirect to malicious sites. Encoded redirect parameters hide the destination: ?redirect=%68%74%74%70%3A%2F%2F%65%76%69%6C%2E%63%6F%6D decodes to http://evil.com. Always decode redirect URLs before processing.
Verify domain ownership with our WHOIS Lookup. Scan ports with our Port Scanner. Check for disposable emails used in phishing with our Temp Email Checker. Read our fix 550 RBL errors guide and IP reputation for bulk email.
Complete URL Encoding Workflow for Developers
- Step 1: Paste URL or text into our URL encoder decoder online.
- Step 2: Choose mode — URL Encode for full URLs, Component Encode for parameter values.
- Step 3: For suspicious URLs, use Double Decode to reveal hidden URL obfuscation.
- Step 4: Check stats — see how many characters were percent-encoded.
- Step 5: Use Batch mode for bulk encoding/decoding (up to 100 URLs).
- Step 6: Copy or download the result for integration.
- Step 7: Verify your clean URL structures resolve correctly with our DNS Lookup.
- Step 8: Audit security headers with our Headers Analyzer. Read our cold emailing security guide.
Frequently Asked Questions About URL Encoding
Q What is a URL encoder decoder online?
A URL encoder decoder online converts unsafe characters to %XX percent-encoded format for safe HTTP use, or decodes encoded strings. Our percent encoding tool supports RFC 3986, component encoding, double-decode, and batch mode.
Q Why does my URL show %20 instead of spaces?
%20 is the hexadecimal encoding of a space character per RFC 3986. URLs cannot contain literal spaces. Use our URL percent decoder to convert %20 back to spaces for readability.
Q How to encode URLs for Google Ads?
Use our encoder to percent-encode special characters in landing URLs and UTM tracking parameters. Characters like &, =, and spaces must be encoded in parameter values. This ensures Google Ads tracking and redirect safety work correctly.
Q How to decode double-encoded URLs?
Our double-decode runs two decoding passes. This reveals URL obfuscation used in XSS and SQL injection attacks where %25 encodes the percent sign itself (e.g., %2520 → %20 → space).
Q What is the difference between encodeURI and encodeURIComponent?
encodeURI preserves URL structural characters (: / ? #). encodeURIComponent encodes everything — safe for query parameter values. Our tool offers both modes: URL Encode and Component Encode.
Q Can URL encoding prevent XSS attacks?
Encoding helps but is not sufficient alone. Proper XSS prevention requires encoding + input validation + output escaping + CSP headers. Always decode and validate on the server. Audit headers with our Headers Analyzer.
Q How to encode deep links for mobile apps?
Use Component Encode on the entire deep link URL before embedding it as a parameter value. This encodes :// and ? to prevent breaking the parent URL. Safely encode deep links like myapp://path → myapp%3A%2F%2Fpath.
Q How to fix Invalid URI format errors?
Invalid URI errors mean unencoded special characters in URLs. Encode spaces (%20), Unicode to UTF-8 percent sequences, and escape query parameters. Our website URL sanitizer converts any string to a valid encoded URI.
Related Developer & Security Tools
Complete your web development workflow.
Encode, Decode & Sanitize URLs Instantly
Free URL Encoder — No Signup Required
Our URL encoder decoder online supports percent-encoding, component encoding, double-decode, and batch processing. RFC 3986 compliant. The best online tool to decode double-encoded URLs.