How URL Encoding Handles Spaces and Special Characters
URL encoding looks simple until a link breaks because of one character. A space, ampersand, question mark, slash, hash sign, or plus sign can change the meaning of a URL if it appears in the wrong place. That is why web applications encode unsafe or reserved characters before putting values into query strings, redirect URLs, API requests, analytics links, and form submissions.
This guide explains how URL encoding handles spaces and special characters, why different URL parts should be encoded differently, and how to avoid common mistakes when working with query parameters or nested URLs.
You can test the examples with the URL Encoder Decoder Online while reading.
What URL Encoding Does
URL encoding, also called percent-encoding, replaces characters with a % followed by two hexadecimal digits.
For example:
hello worldbecomes:
hello%20worldThe space is replaced with %20 because a raw space is not safe inside a URL.
URL encoding is not encryption. It does not hide data. It only makes text safe to place inside URL components.
Reserved Characters vs Unsafe Characters
Some characters are not merely unsafe. They already have structural meaning inside URLs.
Examples:
| Character | Common URL meaning |
|---|---|
? | Starts the query string |
& | Separates query parameters |
= | Separates a key from a value |
# | Starts the fragment identifier |
/ | Separates path segments |
: | Separates protocol or host/port parts |
+ | Often treated as a space in form-style encoding |
If one of these characters is part of a value, not part of the URL structure, it usually needs encoding.
For example, this query value is ambiguous:
https://example.com/search?q=design & toolsThe raw ampersand can be interpreted as a parameter separator.
The safer version is:
https://example.com/search?q=design%20%26%20toolsNow the ampersand belongs to the value.
How Spaces Are Encoded
Spaces can appear as %20 or +, depending on the context.
In general URL percent-encoding, a space becomes:
%20In application/x-www-form-urlencoded form encoding, a space is often represented as:
+That difference causes confusion. For many modern URL-building workflows, %20 is the clearer and safer representation. If you are building query values with browser APIs such as URLSearchParams, the browser may use form-style encoding rules for the query string.
The practical advice:
- Do not manually replace spaces unless you know which encoding context you need.
- Use
encodeURIComponentfor individual query values. - Use URL-building APIs when constructing full URLs programmatically.
Encode Values, Not Always the Whole URL
One of the most common URL encoding mistakes is encoding an entire URL when only a parameter value should be encoded.
Suppose you want this final URL:
https://example.com/search?q=red shoesOnly the value red shoes needs encoding:
https://example.com/search?q=red%20shoesIf you encode the whole URL, you get:
https%3A%2F%2Fexample.com%2Fsearch%3Fq%3Dred%20shoesThat encoded version is no longer a normal clickable URL. It is useful only when the entire URL is being used as a value inside another URL.
Nested Redirect URLs
Nested URLs are where encoding becomes especially important.
Consider this redirect parameter:
https://auth.example.com/login?redirect=https://app.example.com/dashboard?tab=billing&plan=proThis is risky because the inner URL contains ? and &, which can be interpreted as part of the outer URL.
The redirect value should be encoded:
https://auth.example.com/login?redirect=https%3A%2F%2Fapp.example.com%2Fdashboard%3Ftab%3Dbilling%26plan%3DproNow the outer URL has one clear parameter: redirect.
Nested URLs appear in:
- OAuth flows.
- Login redirects.
- Password reset links.
- Campaign tracking links.
- Payment provider return URLs.
- Support or helpdesk deep links.
If a redirect stops at the wrong page, drops query parameters, or breaks after an ampersand, encoding is often the cause.
Ampersands in Query Values
Ampersands separate query parameters:
?source=google&medium=cpcBut sometimes an ampersand belongs inside the value:
research & developmentAs a query value, it should be encoded:
research%20%26%20developmentWithout encoding, the URL parser may treat development as a separate parameter or malformed segment.
This matters for UTM campaigns, search terms, product names, and user-generated filters.
If you are building campaign URLs, pair URL encoding with a dedicated UTM Builder so campaign fields stay readable and consistent.
Question Marks and Hash Signs
The first ? in a URL starts the query string:
https://example.com/page?query=valueThe # starts a fragment:
https://example.com/page#sectionIf either character belongs inside a value, encode it.
Example value:
What is URL encoding?Encoded:
What%20is%20URL%20encoding%3FExample value:
chapter #2Encoded:
chapter%20%232If a raw # appears inside a query value, everything after it may be treated as the fragment and never reach the server.
Slashes in Values
A slash separates path segments:
/docs/api/referenceBut a slash may also belong inside a parameter value, such as a category path, file path, or return URL.
Value:
docs/api/referenceEncoded as a query value:
docs%2Fapi%2FreferenceDo not encode slashes that are meant to remain path separators. Do encode slashes when they are data inside a parameter value.
Plus Signs
The plus sign is tricky because form-style query decoding may treat + as a space.
If the literal value contains a plus sign:
C++ guidethe plus signs should be encoded:
C%2B%2B%20guideOtherwise a decoder may interpret the value as:
C guideThis is common in search terms, programming language names, grades, phone numbers, and encoded tokens.
Unicode Text
URL encoding also handles non-ASCII characters by encoding their UTF-8 bytes.
For example, a Unicode word or emoji becomes a sequence of percent-encoded bytes. You usually should not try to write those bytes manually.
Use browser APIs, a URL encoder, or server-side URL utilities so Unicode text is encoded consistently. This matters for internationalized search queries, names, tags, and product titles.
Encoding vs Escaping vs Base64
URL encoding is often confused with other transformations.
URL encoding makes text safe inside URL components.
HTML escaping makes text safe inside HTML.
JSON escaping makes strings safe inside JSON.
Base64 represents bytes as text.
These are not interchangeable. If you need to put a JSON string into a URL parameter, you may need more than one layer:
- Create valid JSON.
- Convert it to a string.
- URL-encode that string as a query value.
If you are comparing encoding choices, see Base64 vs URL Encoding. If you are handling strings across multiple contexts, see the String Escaping Guide.
Practical Checklist
Use this checklist when a URL breaks:
- Is the broken character part of the URL structure or part of a value?
- Are query values encoded individually?
- Is a nested redirect URL encoded as a parameter value?
- Did a raw
&split one value into multiple parameters? - Did a raw
#turn part of the value into a fragment? - Are literal plus signs encoded as
%2B? - Are Unicode values encoded by a proper URL utility?
- Is the full URL encoded only when it is being nested inside another URL?
Bottom Line
URL encoding protects the structure of a URL by encoding values that contain spaces, special characters, reserved symbols, Unicode text, or nested URLs. The key is knowing what you are encoding: a query value, a path segment, a redirect URL, or a full URL used as data.
Use the URL Encoder Decoder Online when you need a quick browser-based way to encode or decode query values, redirect links, API parameters, and special characters without uploading your input.
Keep going