URL Encoding Special Characters: Complete Guide
What Is URL Encoding?
URL encoding, also called percent-encoding, is the process of converting special characters in a URL into a format that can be safely transmitted over the internet. When a character is not allowed in a URL or has a reserved meaning, it gets replaced with a percent sign followed by its two-digit hexadecimal value.
For example, a space becomes %20, an ampersand becomes %26, and a forward slash becomes %2F.
Every developer works with URLs, and URL encoding special characters incorrectly is one of the most common sources of subtle, hard-to-debug issues in web applications.
Why URL Encoding Is Necessary
URLs can only contain a limited set of characters from the ASCII character set. The URL specification (RFC 3986) defines which characters are allowed and which have special meanings.
If you include a raw & in a query parameter value, the browser or server interprets it as a parameter separator, not as part of the value. If you include a space, the URL breaks entirely. Percent-encoding ensures that every character is transmitted exactly as intended.
Characters That Need Encoding
Reserved Characters
These characters have special meanings in URLs and must be encoded if used as data (not as delimiters):
| Character | Encoded | Purpose in URL |
|---|---|---|
: | %3A | Scheme separator (http:), port separator |
/ | %2F | Path separator |
? | %3F | Query string start |
# | %23 | Fragment identifier |
[ | %5B | IPv6 address |
] | %5D | IPv6 address |
@ | %40 | User info separator |
! | %21 | Sub-delimiter |
$ | %24 | Sub-delimiter |
& | %26 | Query parameter separator |
' | %27 | Sub-delimiter |
( | %28 | Sub-delimiter |
) | %29 | Sub-delimiter |
* | %2A | Sub-delimiter |
+ | %2B | Space in some contexts (form encoding) |
, | %2C | Sub-delimiter |
; | %3B | Sub-delimiter |
= | %3D | Key-value separator in query strings |
Unsafe Characters
These characters are not part of the URL specification and must always be encoded:
| Character | Encoded | Why It’s Unsafe |
|---|---|---|
| Space | %20 (or + in forms) | Not a valid URL character |
" | %22 | Conflicts with HTML attribute quotes |
< | %3C | HTML tag opening |
> | %3E | HTML tag closing |
{ | %7B | Not allowed in URLs |
} | %7D | Not allowed in URLs |
| ` | ` | %7C |
\ | %5C | Not allowed in URLs |
^ | %5E | Not allowed in URLs |
` | %60 | Not allowed in URLs |
Characters That Do NOT Need Encoding
These unreserved characters are safe to use anywhere in a URL without encoding:
- Letters:
A-Z,a-z - Digits:
0-9 - Hyphen:
- - Underscore:
_ - Period:
. - Tilde:
~
URL Encoding in Code
JavaScript
// Encode a full URL component (query parameter value)
encodeURIComponent("hello world & goodbye")
// "hello%20world%20%26%20goodbye"
// Encode a full URI (preserves :, /, ?, #, etc.)
encodeURI("https://example.com/path?q=hello world")
// "https://example.com/path?q=hello%20world"Use encodeURIComponent() for encoding individual parameter values. It encodes everything except unreserved characters.
Use encodeURI() for encoding a complete URL where you want to preserve the structure characters (://?#).
Python
from urllib.parse import quote, urlencode
# Encode a single value
quote("hello world & goodbye")
# "hello%20world%20%26%20goodbye"
# Encode query parameters
urlencode({"q": "hello world", "lang": "en"})
# "q=hello+world&lang=en"Go
import "net/url"
// Encode a query parameter
url.QueryEscape("hello world & goodbye")
// "hello+world+%26+goodbye"
// Encode a path segment
url.PathEscape("my file.txt")
// "my%20file.txt"Or skip the code and use the URL Encoder/Decoder for quick encoding tasks right in your browser.
Spaces: %20 vs +
One of the most confusing aspects of URL encoding is the two different representations of a space:
%20: The standard percent-encoding for a space character. Used in URL paths and byencodeURIComponent().+: An alternative encoding for spaces used only inapplication/x-www-form-urlencodedformat (HTML form submissions).
URL path: /search/hello%20world
Query string (URL encoding): ?q=hello%20world
Query string (form encoding): ?q=hello+worldBoth %20 and + are valid in query strings, but %20 is the safer choice because it works everywhere. The + notation only works in the query string portion, and some servers and frameworks handle it differently.
Common Pitfalls
Double Encoding
The most frequent mistake. If you encode a string that is already encoded, percent signs get encoded again:
"hello world" → "hello%20world" → "hello%2520world"That %2520 is a literal %20 string, not a space. This happens when a URL passes through multiple encoding layers. Always check whether your input is already encoded before encoding it.
Encoding the Entire URL
Never pass a complete URL through encodeURIComponent(). It will encode the structure characters too:
// WRONG
encodeURIComponent("https://example.com/path?q=test")
// "https%3A%2F%2Fexample.com%2Fpath%3Fq%3Dtest"
// RIGHT — encode only the parameter value
"https://example.com/path?q=" + encodeURIComponent("test value")
// "https://example.com/path?q=test%20value"Forgetting to Encode User Input
Any user-provided value that ends up in a URL must be encoded. Failing to encode user input can break URLs and create security vulnerabilities (open redirects, injection attacks).
Encoding Path Segments Differently From Query Parameters
Path segments and query parameters have different rules for which characters are allowed. A / in a path segment is a directory separator, but a / in a query parameter value should be encoded as %2F.
Platform Differences
Different programming languages and frameworks encode characters slightly differently. For example, Go’s QueryEscape uses + for spaces, while PathEscape uses %20. Always verify the encoding function matches your context.
Testing Your URLs
When debugging URL encoding issues:
- Decode the URL first: Use the URL Encoder/Decoder to decode a problematic URL and see what the raw values are.
- Check for double encoding: Look for
%25in your URLs — that is an encoded percent sign, which usually indicates double encoding. - Test with special characters: Include
&,=,?,#, and spaces in your test data to catch encoding issues early. - Inspect network requests: Use your browser’s DevTools Network tab to see the actual URL being sent, including encoding.
Conclusion
URL encoding special characters correctly is a small detail that prevents a large category of bugs. Encode individual parameter values with encodeURIComponent() (or your language’s equivalent), never encode entire URLs with that function, and watch out for double encoding.
For quick encoding and decoding tasks, use the URL Encoder/Decoder — paste any text, click encode, and copy the result. It handles all the edge cases and runs privately in your browser.