encodeURI
Use for a whole URL when you want to preserve separators such as : / ? & = #.
Enter text above to compare modes.Developer utility
Encode URL components, compare encodeURI versus encodeURIComponent, and debug percent-encoded query strings, redirect URLs, and callback parameters.
Paste a sample once and see which encoding mode preserves URL structure versus safely encoding a single value.
Use for a whole URL when you want to preserve separators such as : / ? & = #.
Enter text above to compare modes.Use for a single query value, path segment, redirect value, or form field.
Enter text above to compare modes.Use when inspecting a percent-encoded value. Invalid escapes are reported instead of guessed.
Enter text above to compare modes.Encode a search term, callback path, OAuth state value, or campaign parameter before adding it to a query string.
If %20 becomes %2520, the value was encoded twice. Decode once and check what the receiving system expects.
URL encoding is not encryption. Tokens, emails, and IDs in URLs can still be exposed in logs, browser history, and referrers.
These are the most frequent encoding errors developers encounter.
https://api.example.com/v1/search?q=hello world
Why it is a problem
Encoding the full URL with encodeURIComponent turns ://, /, and ? into percent-encoded characters, breaking the URL structure. Only query parameter values should be percent-encoded, not the URL skeleton.
How to fix
Use encodeURIComponent for individual parameter values, not the whole URL. Use encodeURI if you need to encode a full URI while preserving the structural characters.
%2520
Why it is a problem
Encoding an already-encoded string produces double-encoded output. %20 (% encoded space) becomes %2520 (%25 is the percent sign itself). The URL will not decode to the intended value.
How to fix
Decode once to check whether the string is already encoded. If decoding produces readable text, do not encode again. Apply encoding exactly once, at the point where the value is inserted into a URL.
hello+world%20test
Why it is a problem
In query strings, + represents a space (application/x-www-form-urlencoded convention), but %20 also represents a space (percent-encoding). Mixing them can cause inconsistent decoding behavior across servers.
How to fix
Use %20 for spaces in path segments and encodeURIComponent output. Be aware that + in query strings is a legacy convention — modern APIs may or may not treat + as a space.
%3Cscript%3Ealert(1)%3C%2Fscript%3E
Why it is a problem
Decoding percent-encoded text does not make it safe. If the decoded value is inserted into HTML, it can execute scripts. %3Cscript%3E decodes to <script>, which is dangerous in an HTML context.
How to fix
Always validate or sanitize decoded values before using them in HTML, SQL, or shell commands. URL decoding is a data transformation, not a security measure.
price=100% & discount=10%
Why it is a problem
The % character must always be followed by two hex digits in percent-encoding. A lone % or % followed by non-hex characters is an invalid escape sequence and may cause parse errors or data loss.
How to fix
Encode literal percent signs as %25. When building query strings programmatically, always use a proper URL encoding function rather than manual string concatenation.
Building API query strings
Encode search terms, filter values, and user-provided parameters before appending them to a URL. This prevents broken requests when values contain spaces, ampersands, or non-ASCII characters.
Preparing redirect URLs
When constructing an OAuth redirect_uri or a return URL inside a query parameter, encode the inner URL to prevent its special characters from interfering with the outer URL's structure.
Debugging malformed percent escapes
Paste a URL that is not behaving as expected. The diagnostics panel highlights invalid escape sequences and double-encoding so you can fix the URL at its source.
Cleaning URL fragments for QR codes
QR codes work best with clean, properly encoded URLs. Encode any query parameters before embedding them in a QR code to maximize scan reliability across different reader apps.
Inspecting encoded webhook payloads
Webhook delivery URLs often include percent-encoded callback parameters. Decode them to verify the intended destination before configuring the webhook in production.
Comparing encodeURI vs encodeURIComponent
Use the live comparison panel to understand the difference: encodeURI preserves / ? # & while encodeURIComponent encodes them. Choose the right function for your specific use case.
encodeURI is designed for encoding a complete URI and preserves characters that have structural meaning: / ? # & = : @. encodeURIComponent encodes those characters too, making it suitable for encoding individual query parameter values or path segments. Getting this wrong is the most common URL encoding mistake.
Decode when you need to display a URL value to a human, extract the original text for processing, or inspect what a percent-encoded string actually contains. Be aware that decoding untrusted input does not sanitize it — the decoded value may still contain dangerous content for HTML or SQL contexts.
Double encoding occurs when an already-encoded string is encoded again. %20 becomes %2520 (the % sign itself gets encoded as %25). This often happens in systems where encoding is applied at multiple layers — the frontend encodes, then the backend encodes again. The diagnostics panel detects common double-encoding patterns.
No. URL encoding is a reversible character substitution designed for transport, not secrecy. Anyone can decode a percent-encoded string back to its original form. Do not rely on URL encoding to hide sensitive data — the values remain visible in browser address bars, server logs, and network traces.
The application/x-www-form-urlencoded format (used in HTML form submissions) encodes spaces as +. The more general percent-encoding scheme (RFC 3986) encodes spaces as %20. Modern best practice is to use %20 everywhere and avoid + for spaces, as + in path segments is treated literally by many servers.
Only with encodeURI, which preserves the URL's structural characters. But the safer approach is to encode each component separately: use encodeURIComponent for query parameter values, and keep the base URL structure intact. This gives you precise control and avoids accidentally breaking the URL syntax.
Encode text to Base64 or decode Base64 strings — another reversible transform, for different use cases.
Generate QR codes from encoded URLs and text for sharing and scanning.
Format and validate JSON — common source of URL-encoded API payloads.
Convert text to URL-friendly slugs with configurable separators.
Tool guide
URL encoding converts unsafe or reserved characters into percent-encoded sequences so values can be safely placed in query strings, paths, or form submissions. Decoding reverses those sequences for inspection.
Use this tool when debugging copied URLs, API query parameters, redirects, and callback URLs. Encode only the component you need, not necessarily the entire URL.
Most FreeToolsBox tools run directly in your browser for processing. Some pages may still load analytics, ads, or third-party services. Avoid entering passwords, private keys, production tokens, personal IDs, or other sensitive data.
Validation-grade guide
Encode and decode URL components, query parameters, and percent-encoded text.
Prevents broken links by showing how spaces, Unicode, and reserved characters should appear inside URLs.
Encoding and decoding run locally in the browser; URLs may still reveal data when shared or opened.
Learn the concept
Learn when to encode a query parameter, how percent encoding works, why double encoding breaks links, and how to debug malformed escape sequences.
Read the guide →URL encoding replaces characters with percent-encoded byte sequences so they can be safely used in URLs.
Usually encode only a component such as a query parameter value. Encoding the whole URL can encode separators like : and /.
%20 is the encoded representation of a space character in many URL contexts.
Yes. URL Encoder & Decoder is free to use in your browser with no signup required.
Most FreeToolsBox tools process data locally in your browser. Some pages may load analytics, ads, or third-party services. Avoid entering sensitive data on any online page.
Free online URL encoder and decoder. Encode special characters for safe URLs or decode encoded URLs back to readable text.