URL encoding, also called percent encoding, is the process of converting characters into a format that can be safely transmitted over the internet in URLs. URLs can only contain a limited set of characters from the ASCII character set. Any character outside this set, or characters with special meaning in URLs, must be encoded as a percent sign followed by two hexadecimal digits representing the character's byte value.
For example, a space character is encoded as %20, an ampersand as %26, and a plus sign as %2B.
Certain characters have special meanings in URLs and must be encoded when used literally:
? (question mark) - Separates path from query string& (ampersand) - Separates query parameters= (equals) - Separates parameter names from values# (hash) - Indicates fragment identifier/ (forward slash) - Separates path components: (colon) - Separates scheme from authority@ (at sign) - Separates credentials from hostnameSome characters can cause problems or have ambiguous meanings in URLs:
%20 or + in query strings< > (angle brackets) - Can be confused with HTML" (quotes) - Can break HTML attributes{ } (curly braces) - Reserved for future URI syntax| \ ^ ~ - Often cause issues with gatewaysCharacters from non-English languages, emoji, and special symbols must be encoded. For example:
niño becomes ni%C3%B1o网页 becomes %E7%BD%91%E9%A1%B5😀 becomes %F0%9F%98%80| Character | Encoded | Description |
|---|---|---|
| Space | %20 or + |
Plus sign used in query strings |
! |
%21 |
Exclamation mark |
# |
%23 |
Hash/pound sign |
$ |
%24 |
Dollar sign |
% |
%25 |
Percent sign itself |
& |
%26 |
Ampersand |
' |
%27 |
Apostrophe |
( |
%28 |
Left parenthesis |
) |
%29 |
Right parenthesis |
+ |
%2B |
Plus sign |
/ |
%2F |
Forward slash |
: |
%3A |
Colon |
= |
%3D |
Equals sign |
? |
%3F |
Question mark |
@ |
%40 |
At symbol |
Always encode values in query strings, especially when they contain special characters or spaces:
Wrong: /search?q=cats and dogs
Correct: /search?q=cats%20and%20dogs
When path segments contain special characters, they should be encoded:
Example: /files/my%20document.pdf instead of /files/my document.pdf
When submitting forms with GET method, form fields are automatically URL-encoded by the browser. Understanding this helps debug form submission issues.
When building API request URLs programmatically, ensure all dynamic values are properly encoded to prevent errors and security vulnerabilities.
This is the default encoding for HTML form data. It uses + for spaces instead of %20 and encodes most special characters.
In JavaScript, encodeURIComponent() encodes all characters except: A-Z a-z 0-9 - _ . ! ~ * ' ( )
encodeURI() encodes a complete URI, preserving characters like :, /, ?, and & that have special meaning in URIs.
Always encode user input before including it in URLs to prevent URL injection attacks. Attackers might try to inject malicious query parameters or manipulate the URL structure.
Be careful not to encode data multiple times, which can lead to incorrect values. For example, a space encoded twice becomes %2520 instead of %20.
URL encoding is NOT encryption. Never put sensitive information like passwords in URLs, even if encoded. URLs are logged by servers, visible in browser history, and transmitted in plain text.
In query strings, + represents a space, but in paths it's a literal plus sign. Context matters when encoding and decoding.
Fragment identifiers (after #) are not sent to the server, so server-side encoding doesn't affect them. They're handled entirely by the browser.
Forward slashes in path components should usually be encoded as %2F to avoid being interpreted as path separators.