URL Encoder / Decoder

Encode text for safe use in URLs or decode URL-encoded strings.

Which mode should I use?

  • encodeURIComponent, for values going inside URL query strings. Escapes everything that isn't safe (including /?&=).
  • encodeURI, for entire URLs. Preserves characters that have meaning in a URL structure.

Frequently asked questions

What is the difference between component and full-URL encoding?

Full-URL encoding (encodeURI) preserves reserved characters like /, ?, and & that have meaning in URLs. Component encoding (encodeURIComponent) escapes those too, which is what you want when embedding a value inside a query parameter.

Which characters get encoded?

Anything outside the unreserved set: letters, digits, hyphen, underscore, dot, and tilde. Everything else becomes % followed by two hex digits of its UTF-8 byte representation.

Why do I see %20 in some URLs and + in others?

Both encode a space. %20 is the standard URL form, while + is a legacy convention only valid inside application/x-www-form-urlencoded form bodies and query strings.

Is anything I paste sent to a server?

No. The encoder runs entirely in your browser, so URLs containing tokens or secrets stay on your machine.

Percent-encoding: the rules underneath every URL

URLs permit a limited character set, so everything else is written as % followed by the byte's hex value: a space becomes %20, an ampersand %26, the Greek letter alpha %CE%B1 (two bytes, because encoding applies to UTF-8 bytes, not characters). Characters split into two camps: reserved characters (: / ? # & = +) have structural meaning and must be encoded when used as data, while unreserved characters (letters, digits, - _ . ~) never need encoding at all. Encoding a reserved character changes meaning; that is the entire point.

The two encodings people confuse

JavaScript exposes both. encodeURI encodes a complete URL and deliberately leaves reserved characters intact, so the URL keeps working as a URL. encodeURIComponent encodes a single value destined for one slot... a query parameter, a path segment... and escapes everything structural. Using the wrong one produces the classic bug where a redirect parameter containing & truncates silently, or where an entire URL gets so thoroughly encoded it stops being clickable.

Edge cases worth knowing

  • The plus sign means space only in query strings (a legacy of form submission); in paths, + is a literal plus. %20 is unambiguous everywhere.
  • Double encoding turns %20 into %2520 and is the usual culprit when decoded text shows stray % sequences.
  • Decode the same number of times you encoded... exactly once, in almost all sane systems.
  • Internationalised domain names use a separate mechanism (punycode, the xn-- prefix), not percent-encoding.

A decoder as a reading tool

Decoding is the underrated direction. Long tracking links, OAuth redirect chains and email-campaign URLs are routinely two or three layers of encoded parameters deep; pasting one into a decoder turns an opaque 400-character string into a readable map of where the click actually goes and what is being passed along... destination, campaign tags, session hints. It is the fastest way to audit a suspicious link before clicking, to extract the real URL buried inside a redirector, or to understand what a third-party integration is transmitting in its callbacks. Decode repeatedly until the structure stops changing; each pass peels one layer.

Advertisement