The internet is built on URLs (Uniform Resource Locators). However, URLs have a strict limitation: they can only contain a specific set of US-ASCII characters. This includes digits (0-9), letters (A-Z, a-z), and a few special characters (- _ . ~).
So what happens when you need to send a search query like "Apple & Orange"? Or a file name like résumé.pdf? Or an Arabic query like مرحبا?
If you put these directly into a URL, they will break the request. This is why we need the URL Encoder & Decoder.
What is Percent-Encoding?
URL Encoding (officially "Percent-Encoding") transforms unsafe characters into a format that can be transmitted over the internet. It works by taking the Hexadecimal value of the character in the ASCII (or UTF-8) table and prefixing it with a %.
Examples:
- Space ( ) →
%20(or+in some contexts) - Ampersand (&) →
%26 - Slash (/) →
%2F - Comma (,) →
%2C
Using our tool, the input Apple & Orange becomes Apple%20%26%20Orange.
Spaces: %20 vs +
This is a common source of confusion. How should a space be encoded?
- Path Components (
/path/to file): Must be%20. - Query Strings (
?q=search term): Historically encoded as+(due toapplication/x-www-form-urlencoded), but%20is also valid and safer.
Our tool uses the modern encodeURIComponent standard (JavaScript), which prefers %20.
Unicode and UTF-8
Percent-encoding was designed for 7-bit ASCII. To support global languages (Arabic, Chinese, Emojis), we first encode characters into bytes using UTF-8, then percent-encode each byte.
Example: The Emoji "🔥"
- Unicode:
U+1F525 - UTF-8 Bytes:
0xF0 0x9F 0x94 0xA5 - URL Encoded:
%F0%9F%94%A5
Try pasting specific text like "Café" or "مرحبا" into the tool to see how each byte is handled.
When to Use This Tool
- Debugging APIs: When a cURL request fails because of unescaped query parameters.
- Form Submission: Understanding how browsers send data.
- UTM Parameters: Building marketing links (e.g.,
utm_source=facebook&utm_campaign=summer sale).
Security: Double Encoding Attacks
Sometimes attackers try to bypass firewalls (WAFs) by encoding an attack twice. For instance, sending %252E%252E%252F (which decodes to %2E%2E%2F, which decodes to ../) to perform Path Traversal. Security systems must decode recursively until the string stops changing to detect the threat.