URL Encoding Explained

Everything you need to know about special characters in URLs.

What is URL Encoding?

URL encoding (also known as_percent-encoding_) is the process of replacing characters in a URL that are either invalid or have special meaning with a percent sign and its hexadecimal ASCII code. 

Unencoded:      https://example.com/user=john doe
Encoded:        https://example.com/user=john%20doe
Decoded:        john doe

When to Encode

Reserve Characters

  • : / ? : # [ ] @ ! $ & ' ( ) * + , ; =
  • These must be encoded unless they're used for their reserved purpose

Unsafe Characters

  • " # % < > { } `
  • These often disrupt parsing or have special browser behavior

Encoding Examples

Original: https://example.com?query=hello world
Encoded: https://example.com?query=hello%20world
Decoded: hello world

Special Case: <_out> tag

The <%3C_out%3E tag sequence appears in encoded contexts like this URL:

https://example.com/file?tag=%3C_out%3E When decoded, this becomes: https://example.com/file?tag=<_out>

Common Problems

Double Encoding

Bad: %2520 (double-encoded space)
Good: %20 (single-encoded space)

Avoid encoding already-encoded values multiple times

Missing Encoding

Bad: user=john doe
Good: user=john%20doe

Spaces and special characters must always be encoded