Code Flux
Back to Blog
Web StandardsMay 22, 202610 min read

Demystifying URL Encoding and Percent-Encoding in Web Development

If you've ever stared at %20 where a space should be, or spent an hour debugging why your API call breaks the moment someone searches for "cats & dogs" — welcome, you've been bitten by URL encoding. This guide rips open the RFC, walks through the actual encoding math, and covers the bugs that burn developers over and over again.

The Anatomy of a URL

Before we talk encoding, let's be precise about what a URL actually is. Per RFC 3986, it's a structured string with distinct parts: scheme (https), authority (www.example.com), path (/search), query (?q=hello+world), and fragment (#results). Each part has its own rules about which characters can appear raw and which must be encoded.

The URL specification defines a set of unreserved characters that can appear anywhere without encoding: the 26 uppercase and 26 lowercase ASCII letters (A–Z, a–z), the 10 digits (0–9), and four special characters: hyphen (-), period (.), underscore (_), and tilde (~). Every other character — including spaces, ampersands, equals signs, slashes, question marks, and all non-ASCII characters — must be percent-encoded when used in a context where they could be misinterpreted as URL syntax.

Reserved characters like ':', '/', '?', '#', '[', ']', '@', '!', '$', '&', '(', ')', '*', '+', ',', ';', and '=' serve as delimiters within the URL structure. They only need encoding when used as data (e.g., a literal ampersand in a search term) rather than as their intended structural role.

How Percent-Encoding Works

The actual encoding algorithm is refreshingly straightforward: take each byte of the character's UTF-8 representation and write it as a percent sign plus two hex digits.

Space → %20 (byte 0x20)

Ampersand (&) → %26 (byte 0x26)

Plus (+) → %2B (byte 0x2B)

Café → Caf%C3%A9 (é is 2 UTF-8 bytes: 0xC3, 0xA9)

日本語 → %E6%97%A5%E6%9C%AC%E8%AA%9E (each character is 3 UTF-8 bytes)

Notice that non-ASCII characters like accented letters, emoji, and CJK ideographs first get converted to their multi-byte UTF-8 representation, and then each byte is individually percent-encoded. The Japanese word "日本語" (nihongo) contains 3 characters, each 3 bytes in UTF-8, resulting in 9 percent-encoded triplets — a 27-character URL representation of a 3-character string.

There is an important historical quirk: the plus sign (+) is used to represent spaces in the application/x-www-form-urlencoded format (used by HTML forms), but it is not a valid space encoding in the path or fragment components of a URL. In those contexts, only %20 is correct. This inconsistency is one of the most common sources of encoding bugs in web applications.

JavaScript's Encoding Functions: A Critical Comparison

JavaScript gives you three pairs of encoding/decoding functions, and picking the wrong one is one of the most common sources of subtle bugs in web apps:

❌ escape() / unescape() — Deprecated

These are legacy functions from the early days of JavaScript. They do not handle UTF-8 correctly and should never be used in modern code. They encode characters above 0xFF using a non-standard %uXXXX format that no server understands.

⚠️ encodeURI() / decodeURI() — For Complete URLs

These encode a complete URI string while preserving the structural characters (:, /, ?, #, &, =). Use them when you have a full URL and just need to encode non-ASCII or unsafe characters. Do NOT use them for encoding individual parameter values — the preserved characters will break your query strings.

✅ encodeURIComponent() / decodeURIComponent() — For Values

These encode everything except unreserved characters (A–Z, a–z, 0–9, -, _, ., ~). This is the correct function for encoding individual query parameter values, path segments, or any user-provided data that will be embedded in a URL. It ensures that characters like &, =, and ? in user input cannot be misinterpreted as URL syntax.

The rule you should tattoo on your forearm: encodeURIComponent() for individual values, encodeURI() only for complete, already-structured URLs. When building query strings by hand, encode each key and each value separately, then stitch them together with literal & and = characters.

Common Encoding Bugs and How to Avoid Them

URL encoding bugs are sneaky. They hide in your code for months until some user in Germany types an umlaut or a marketer pastes a URL with an ampersand in a campaign link. Here are the ones that bite hardest:

Double Encoding

This happens when you encode a value, embed it in a URL, and then the HTTP client or framework encodes it again. The result: %20 (an encoded space) becomes %2520 (the percent sign itself gets encoded). Always know whether your HTTP library auto-encodes parameters and don't pre-encode values that will be encoded automatically.

Encoding the Entire URL

Using encodeURIComponent() on a full URL will encode the slashes, colons, and question marks that give the URL its structure, producing a broken string like https%3A%2F%2Fexample.com. Use encodeURIComponent() only on individual values, not on complete URLs.

The Plus-vs-Space Trap

In form-encoded data (application/x-www-form-urlencoded), spaces are represented as +. But in URL paths and fragments, + means a literal plus sign, not a space. If you decode a path segment using a form-decoding function, spaces will appear where plus signs should be. Use the correct decoder for the context.

Forgetting to Encode User Input

The most dangerous encoding bug: concatenating user input directly into a URL without encoding. If a user searches for "cats & dogs", the unencoded & splits the query string and the server receives a truncated search term. Worse, this can enable URL injection attacks where a malicious user manipulates the URL structure.

URL Encoding in Practice: APIs and Beyond

Beyond basic web forms, URL encoding is critical in several modern development contexts:

  • REST API query parameters: When filtering, sorting, or searching through an API, user-provided values must be encoded. Most HTTP client libraries (Axios, fetch with URLSearchParams, requests in Python) handle this automatically if you use their parameter objects instead of manually building query strings.
  • OAuth and authentication flows: OAuth redirect URIs, state parameters, and authorization codes are all URL-encoded. A misencoded redirect_uri is one of the most common reasons OAuth flows fail silently.
  • Webhook and callback URLs: When registering webhooks, the callback URL itself often needs to be passed as a parameter in another URL, requiring encoding of the entire callback URL.
  • Data URIs and Base64: Base64 strings contain + and / characters that must be percent-encoded when embedded in URLs. This is why Base64url encoding (which replaces + with - and / with _) exists — try our Base64 Hub to see the difference.
  • Internationalized domain names (IDN): Domain names with non-ASCII characters (like münchen.de) use Punycode encoding in DNS but are often displayed in their Unicode form in browsers, adding another layer of encoding complexity.

Key Takeaways

  • • URL encoding (percent-encoding) converts unsafe characters into their UTF-8 byte representation using %XX notation.
  • • Always use encodeURIComponent() for individual parameter values. Use encodeURI() only for complete, pre-structured URLs.
  • • Watch out for double encoding, the plus-vs-space ambiguity, and raw user input concatenation.
  • • Modern APIs and HTTP libraries often auto-encode parameters — know when your tools handle it for you to avoid double-encoding.
  • • Use our URL Architect tool to build, parse, and debug URLs with proper encoding right in your browser.

Build and debug URLs with confidence

Our URL Architect tool lets you construct, parse, and encode URLs visually — no more guessing which characters need encoding.

Try URL Architect