URL Encoding Explained: Percent-Encoding, UTF-8 & Common Pitfalls

URL encoding (percent-encoding) converts characters into a format that can be safely transmitted in URLs. Every web developer encounters it, yet it remains a common source of bugs. This guide explains the rules, compares JavaScript encoding functions, and covers the pitfalls that trip up even experienced developers.

RFC 3986: The URL Standard

RFC 3986 defines which characters are allowed in URLs without encoding:

Unreserved characters (never need encoding): A-Z a-z 0-9 - _ . ~
Reserved characters (have special meaning): : / ? # [ ] @ ! $ & ' ( ) * + , ; =

Everything else must be percent-encoded: the character's UTF-8 byte value expressed as %XX hex pairs. For example, a space becomes %20, and the euro sign (€) becomes %E2%82%AC (three UTF-8 bytes).

JavaScript Encoding Functions

Function	Preserves	Use For
`encodeURI()`	Reserved chars + unreserved	Encoding a full URL (preserves structure)
`encodeURIComponent()`	Only unreserved chars	Encoding a query parameter value
`URLSearchParams`	Handles encoding automatically	Building query strings (recommended)

The most common mistake: using encodeURI() for a query parameter value. It leaves & and = intact, breaking the query string structure if those characters appear in the value.

Space Encoding: + vs %20

This causes endless confusion:

%20 — Used in URL paths and fragment identifiers (RFC 3986)
+ — Used in query strings (application/x-www-form-urlencoded, HTML forms)

Both are correct in their respective contexts. URLSearchParams uses + for spaces; encodeURIComponent() uses %20.

Common Pitfalls

Double encoding: Encoding an already-encoded string turns %20 into %2520. Decode first, then encode once.
Encoding the entire URL: Never encode the whole URL including scheme and slashes. Only encode dynamic values.
Missing encoding on user input: Any user-provided value inserted into a URL must be encoded to prevent injection and broken URLs.
Path vs query encoding: / is allowed in paths but must be encoded in query values. Use encodeURIComponent() for values.

Encode and decode URLs instantly with the WizlyTools URL Encoder/Decoder.

Frequently Asked Questions

Why is the space character sometimes + and sometimes %20?▾

In URL query strings (application/x-www-form-urlencoded from HTML forms), spaces become +. In URL paths and other contexts (RFC 3986), spaces become %20. Both are correct in their respective contexts.

What is double encoding and how do I fix it?▾

Double encoding happens when you encode an already-encoded string: %20 becomes %2520. The fix: decode until the output stops changing (no more %XX sequences remain that should be decoded), then encode once.

What's the difference between encodeURI() and encodeURIComponent()?▾

encodeURI() is for encoding a complete URL — it leaves reserved characters (: / ? # & =) intact. encodeURIComponent() encodes everything except unreserved characters — use it for individual query parameter values, form field values, or any dynamic segment inserted into a URL.

How are non-ASCII characters encoded in URLs?▾

Non-ASCII characters are first converted to their UTF-8 byte sequence, then each byte is percent-encoded. The euro sign (€) is U+20AC, which is 3 bytes in UTF-8 (E2 82 AC), becoming %E2%82%AC in the URL.

RFC 3986: The URL Standard

RFC 3986 defines which characters are allowed in URLs without encoding:

Unreserved characters (never need encoding): A-Z a-z 0-9 - _ . ~

Reserved characters (have special meaning): : / ? # [ ] @ ! $ & ' ( ) * + , ; =

JavaScript Encoding Functions

Function

Preserves

Use For

encodeURI()

Reserved chars + unreserved

Encoding a full URL (preserves structure)

encodeURIComponent()

Only unreserved chars

Encoding a query parameter value

URLSearchParams

Handles encoding automatically

Building query strings (recommended)

The most common mistake: using encodeURI() for a query parameter value. It leaves & and = intact, breaking the query string structure if those characters appear in the value.

Common Pitfalls

Double encoding: Encoding an already-encoded string turns %20 into %2520. Decode first, then encode once.

Encoding the entire URL: Never encode the whole URL including scheme and slashes. Only encode dynamic values.

Missing encoding on user input: Any user-provided value inserted into a URL must be encoded to prevent injection and broken URLs.

Path vs query encoding: / is allowed in paths but must be encoded in query values. Use encodeURIComponent() for values.

Frequently Asked Questions

Why is the space character sometimes + and sometimes %20?▾

What is double encoding and how do I fix it?▾

What's the difference between encodeURI() and encodeURIComponent()?▾

How are non-ASCII characters encoded in URLs?▾

URL Encoding Explained: Percent-Encoding, UTF-8 & Common Pitfalls

RFC 3986: The URL Standard

JavaScript Encoding Functions

Space Encoding: + vs %20

Common Pitfalls

Frequently Asked Questions

Related Tools

URL Encoding Explained: Percent-Encoding, UTF-8 & Common Pitfalls

RFC 3986: The URL Standard

JavaScript Encoding Functions

Space Encoding: + vs %20

Common Pitfalls

Frequently Asked Questions

Related Tools