Encode and decode URLs instantly
%20 or +%26%3D%3F%2F%23%25%2BEncode or decode URLs in real-time as you type.
All processing happens in your browser. Nothing is sent to servers.
Choose between encodeURI and encodeURIComponent for your needs.
Copy encoded or decoded results instantly to clipboard.
Handles all special characters, Unicode, and emojis.
Works perfectly on phones and tablets.
URL encoding (also called percent-encoding) is a method to convert special characters into a format that can be safely transmitted in URLs. Characters like spaces, ampersands, and non-ASCII characters are replaced with a percent sign (%) followed by their hexadecimal ASCII value. For example, a space becomes %20.
URL encoded means that special characters in a string have been converted to percent-encoded format. For example, "hello world" URL encoded becomes "hello%20world". This ensures the data can be safely included in a URL without being misinterpreted as URL syntax (like & or =).
URL encoded format (application/x-www-form-urlencoded) represents data where special characters are replaced with %XX (where XX is the hex value). Spaces can be either %20 or +. This format is commonly used in form submissions and query strings.
URL encoded data is information that has been converted using percent-encoding so it can be safely transmitted in URLs. This includes form data sent via POST requests, query parameters, and any text containing special characters that need to be included in a URL.
Spaces in URLs can be encoded two ways: %20 (percent-encoding) or + (form encoding). The %20 format is more universally accepted. Our tool uses %20 by default with encodeURIComponent, which is the recommended approach for modern applications.
URL encoding works by converting unsafe ASCII characters to a "%" followed by two hexadecimal digits. The character's ASCII/Unicode code point is converted to hex. For example, the space character (ASCII 32, hex 20) becomes %20. Non-ASCII characters (like Γ© or ζ₯) are first converted to UTF-8 bytes, then each byte is percent-encoded.
To URL encode a string: 1) Paste your text in the input field above, 2) Select "encodeURIComponent" for query parameters or "encodeURI" for full URLs, 3) Click "Encode URL", 4) Copy the result. In code, use JavaScript's encodeURIComponent() or Python's urllib.parse.quote().
To URL decode: 1) Switch to "Decode" mode using the tab above, 2) Paste your encoded URL or text, 3) Click "Decode URL", 4) View and copy the decoded result. The tool automatically handles both %XX encoding and + for spaces.
encodeURI encodes a complete URI, preserving characters like :, /, ?, #, and & that have special meaning in URLs. encodeURIComponent encodes everything except letters, numbers, and - _ . ~ characters. Use encodeURIComponent for query parameter values, and encodeURI when encoding a complete URL.
In JavaScript, use encodeURIComponent(str) for encoding query parameters or encodeURI(str) for full URLs. To decode, use decodeURIComponent(str) or decodeURI(str). Example: encodeURIComponent("hello world") returns "hello%20world".
In Python, use urllib.parse.quote(string) for encoding or urllib.parse.quote_plus(string) to also encode spaces as +. To decode: urllib.parse.unquote(string). For complete URLs: urllib.parse.urlencode(dict) encodes key-value pairs for query strings.
In Java, use URLEncoder.encode(string, "UTF-8") for encoding and URLDecoder.decode(string, "UTF-8") for decoding. Note that URLEncoder encodes spaces as + rather than %20. For %20 encoding, use: URLEncoder.encode(string, "UTF-8").replace("+", "%20").
In Bash, you can use: python3 -c "import urllib.parse; print(urllib.parse.quote('your string'))" or with curl: curl -Gso /dev/null -w %{url_effective} --data-urlencode "param=value" "". For simple cases: echo "string" | jq -sRr @uri (requires jq).
URL encoding alone does NOT prevent XSS (Cross-Site Scripting). While it can help in some contexts, proper XSS prevention requires context-aware output encoding (HTML encoding for HTML context, JavaScript encoding for JS context, etc.). Always use proper security libraries and Content Security Policy (CSP) headers.
No, URL encoding does NOT prevent SQL injection. URL encoding is for URL transmission, not database security. To prevent SQL injection, always use parameterized queries (prepared statements), input validation, and proper database escaping. Never rely on encoding alone for security.
The hex digits in percent-encoding (%XX) are case-insensitive according to RFC 3986 - %2f and %2F both represent "/". However, it's recommended to use uppercase letters for consistency. The actual characters being encoded (letters in the URL) remain case-sensitive.
URL encoding is needed because URLs can only contain certain ASCII characters. Special characters like spaces, &, =, and non-ASCII characters (Γ©, δΈ, π) would break URL parsing or be misinterpreted. Encoding ensures data is transmitted accurately and URLs remain valid.
Special characters are automatically encoded when you use our tool. Common encodings: & becomes %26, = becomes %3D, ? becomes %3F, # becomes %23, / becomes %2F. Just paste your text and click encode - all special characters will be properly converted.
For URL parameters, use encodeURIComponent (the default in our tool). This encodes all special characters including & and = which have special meaning in query strings. Example: ?name=John%20Doe&city=New%20York - each value should be encoded separately.
If you must include credentials in a URL (not recommended for security), encode special characters in the password using encodeURIComponent. Format: https://user:pass%[email protected] (where @ in password becomes %40). Better practice: use authentication headers instead of URL credentials.
A URL decoder converts percent-encoded characters back to their original form. It reverses the encoding process: %20 becomes a space, %26 becomes &, etc. Use our decoder to read URLs that contain encoded characters, debug API responses, or convert encoded text back to readable format.