URL Encoder / Decoder
Encode text for safe use in URLs or decode URL-encoded strings.
Which mode should I use?
- encodeURIComponent, for values going inside URL query strings. Escapes everything that isn't safe (including
/?&=). - encodeURI, for entire URLs. Preserves characters that have meaning in a URL structure.
Frequently asked questions
What is the difference between component and full-URL encoding?
Full-URL encoding (encodeURI) preserves reserved characters like /, ?, and & that have meaning in URLs. Component encoding (encodeURIComponent) escapes those too, which is what you want when embedding a value inside a query parameter.
Which characters get encoded?
Anything outside the unreserved set: letters, digits, hyphen, underscore, dot, and tilde. Everything else becomes % followed by two hex digits of its UTF-8 byte representation.
Why do I see %20 in some URLs and + in others?
%20 in some URLs and + in others?Both encode a space. %20 is the standard URL form, while + is a legacy convention only valid inside application/x-www-form-urlencoded form bodies and query strings.
Is anything I paste sent to a server?
No. The encoder runs entirely in your browser, so URLs containing tokens or secrets stay on your machine.
Percent-encoding: the rules underneath every URL
URLs permit a limited character set, so everything else is written as % followed by the byte's hex value: a space becomes %20, an ampersand %26, the Greek letter alpha %CE%B1 (two bytes, because encoding applies to UTF-8 bytes, not characters). Characters split into two camps: reserved characters (: / ? # & = +) have structural meaning and must be encoded when used as data, while unreserved characters (letters, digits, - _ . ~) never need encoding at all. Encoding a reserved character changes meaning; that is the entire point.
The two encodings people confuse
JavaScript exposes both. encodeURI encodes a complete URL and deliberately leaves reserved characters intact, so the URL keeps working as a URL. encodeURIComponent encodes a single value destined for one slot... a query parameter, a path segment... and escapes everything structural. Using the wrong one produces the classic bug where a redirect parameter containing & truncates silently, or where an entire URL gets so thoroughly encoded it stops being clickable.
Edge cases worth knowing
- The plus sign means space only in query strings (a legacy of form submission); in paths, + is a literal plus. %20 is unambiguous everywhere.
- Double encoding turns %20 into %2520 and is the usual culprit when decoded text shows stray % sequences.
- Decode the same number of times you encoded... exactly once, in almost all sane systems.
- Internationalised domain names use a separate mechanism (punycode, the xn-- prefix), not percent-encoding.
A decoder as a reading tool
Decoding is the underrated direction. Long tracking links, OAuth redirect chains and email-campaign URLs are routinely two or three layers of encoded parameters deep; pasting one into a decoder turns an opaque 400-character string into a readable map of where the click actually goes and what is being passed along... destination, campaign tags, session hints. It is the fastest way to audit a suspicious link before clicking, to extract the real URL buried inside a redirector, or to understand what a third-party integration is transmitting in its callbacks. Decode repeatedly until the structure stops changing; each pass peels one layer.
Advertisement