Security

URL Encoder: Percent-Encoding Guide

· QuickToolFlow
url encoding percent encoding web development security

URL encoding, also called percent-encoding, converts characters into a URL-safe representation. It is essential when a URL contains spaces, symbols, non-ASCII text, or values inside a query string.

Use the URL Encoder & Decoder when you need to encode or decode URL parts, query parameters, redirect URLs, API values, or copied links.

Why URL Encoding Exists

URLs use certain characters for structure. For example:

? starts the query string
& separates query parameters
= separates keys and values
# starts a fragment
/ separates path segments

If one of these characters appears inside a value, it can be misread as URL structure.

For example:

search=red & blue

The & could be interpreted as a separator. After encoding:

search=red%20%26%20blue

The value is safer to pass in a URL.

Common Encoded Characters

Some common examples:

space -> %20
&     -> %26
=     -> %3D
#     -> %23
?     -> %3F

Encoding keeps the meaning of the value while preventing the URL parser from treating it as syntax.

Reserved vs Unreserved Characters

URLs have characters that are allowed as normal data and characters that may have structural meaning.

Unreserved characters such as letters, numbers, hyphens, underscores, dots, and tildes usually do not need encoding:

a-z A-Z 0-9 - _ . ~

Reserved characters may need encoding when they are part of a value:

: / ? # [ ] @ ! $ & ' ( ) * + , ; =

The important phrase is “when they are part of a value.” A slash separates path segments in a URL, but a slash inside a redirect parameter should usually be encoded.

Spaces: %20 vs +

Spaces are commonly represented as %20. In form-encoded query strings, you may also see +.

For example:

q=red+shoes
q=red%20shoes

Both can represent a space in many query string contexts, but they are not always interchangeable in every URL part. %20 is the safer general representation when you are manually inspecting or building URL components.

Encode Components, Not Always the Whole URL

One of the most common mistakes is encoding an entire URL when only a value should be encoded.

If you encode this whole URL:

https://example.com/search?q=red shoes

you may turn https:// and /search into encoded text, which is not useful for a normal clickable link.

Usually, you encode the parameter value:

q=red%20shoes

Use the URL Parser if you need to inspect which part of a URL should be encoded.

Path Segments vs Query Values

Different URL parts have different encoding expectations.

Path segment:

/docs/url-encoding-guide

Query value:

?q=url%20encoding%20guide

A slash in a path separates sections. A slash inside a query value may simply be data. This is why the safest process is to identify the URL part first, then encode that component.

For building full query strings from multiple values, use the URL Query Builder instead of manually joining strings.

Nested URLs and Redirect Parameters

Some links include another URL as a parameter value:

https://example.com/redirect?to=https://quicktoolflow.com/tools/

The nested URL should be encoded so its : and / characters are treated as part of the value:

https://example.com/redirect?to=https%3A%2F%2Fquicktoolflow.com%2Ftools%2F

This is common in redirect links, OAuth flows, payment callbacks, and campaign tools.

Double Encoding

Double encoding happens when an already encoded value is encoded again.

One pass:

& -> %26

Two passes:

%26 -> %2526

Sometimes nested systems intentionally require more than one encoding layer, but most everyday URL bugs come from accidental double encoding. If a server receives %2526 where you expected &, decode one layer at a time and check which system encoded the value.

URL Encoding vs Base64

URL encoding and Base64 solve different problems. URL encoding makes text safe inside a URL. Base64 represents binary or text data using a limited character set.

Use URL encoding for query values and path-safe text. Use Base64 Encoder & Decoder when you need reversible representation of data, not normal URL parameter escaping.

Security Limits of URL Encoding

URL encoding is not encryption, signing, or validation. It does not make a dangerous URL safe. It only changes how characters are represented.

For example, this encoded value:

%3Cscript%3E

decodes to:

<script>

If decoded content is later inserted into HTML without proper escaping, it can still be dangerous. Treat URL decoding as parsing, not as sanitizing.

A Practical Workflow

  1. Identify the exact URL part you need to encode.
  2. Encode only the query value, path segment, or fragment value when possible.
  3. Decode suspicious links to inspect their real content.
  4. Use the URL Parser to review protocol, host, path, query, and hash.
  5. Use the UTM Builder for campaign URLs instead of manually assembling every parameter.

Common Mistakes

Do not encode a full URL unless the full URL is meant to be used as a parameter value inside another URL.

Do not assume encoding makes a link safe or trusted. It only changes representation.

Do not confuse URL encoding with encryption. Anyone can decode percent-encoded text.

Do not double-encode values unless the receiving system explicitly expects it. %26 can become %2526, which changes what the server receives after one decoding pass.

Debugging URL Encoding Problems

When a link does not behave as expected:

  1. Parse the URL into protocol, host, path, query, and fragment.
  2. Identify which parameter or path segment looks wrong.
  3. Decode only that component.
  4. Check whether separators such as &, =, or # were meant to be data.
  5. Re-encode the value once.
  6. Test the rebuilt URL.

This step-by-step approach is more reliable than repeatedly pasting the whole URL into an encoder.

Final Tip

URL encoding is about preserving meaning while keeping URLs valid. When in doubt, encode the value, not the whole link, and inspect the result before sharing it.

Keep going

Related tools and guides

All tools