What is URL percent-encoding?

URL encoding, officially known as percent-encoding, is a mechanism for safely encoding information within a Uniform Resource Identifier (URI). It replaces unsafe ASCII characters with a '%' followed by their two-digit hexadecimal equivalent.

Why do I need to encode URLs?

URLs can only be sent over the Internet using the US-ASCII character-set. If a URL contains characters outside the ASCII set (like spaces, emojis, or Cyrillic characters), or reserved syntax characters (like '&' or '?'), those characters must be translated so web servers don't crash when routing the request.

What happens if I double-encode a URL?

Double-encoding occurs when an already percent-encoded string is encoded a second time. For example, a space becomes '%20', and then the '%' sign in '%20' gets encoded into '%25', resulting in '%2520'. This completely breaks the link and causes 404 errors.

Is it safe to encode private API tokens here?

Yes. Kodivio utilizes a secure Zero-Server architecture. The encoding algorithm executes entirely locally within your browser's JavaScript engine. Your private keys and UTM parameters are never logged or transmitted over the internet.

URL Encoder & Decoder

Easily encode and decode URLs for safe web transmission.

RFC 3986 Compliant

100% Local (Zero-Server)

Bi-Directional Engine

Input

Result

The Mechanics of Percent-Encoding

The internet's routing infrastructure was built around a highly restricted subset of ASCII characters. When you attempt to pass complex data blocks—such as JSON payloads, marketing UTM tracking parameters, or even simple mathematical equations—via a web URL, you risk crashing the target server's routing engine.

The Kodivio Secure URL Encoder is a cryptographic utility that translates "unsafe" characters into a globally recognized format known as percent-encoding. Based strictly on the IETF RFC 3986 Standard, our tool scans your string and isolates unsafe characters (like spaces, emojis, or structural symbols like '&') and replaces them with a '%' sign followed by their exact two-digit Hexadecimal index.

Expert Use Cases & Network Routing

Understanding precisely when to execute a percent-encode is a foundational skill for digital marketers and backend engineers linking distributed systems.

UTM Marketing Attributes

Digital ad campaigns rely on appending query parameters to tracking links. For example, if your campaign name is "Summer Sale 2026", appending ?utm_campaign=Summer Sale 2026 will mathematically break the URL at the first space.

Encoding protects the integrity of the data payload, mutating it into the web-safe format: ?utm_campaign=Summer%20Sale%202026.

JSON via Query Parms

Modern single-page applications (React/Next.js) often store complex state structures (like active filters or cart data) directly in the browser's URL bar.

Because JSON relies heavily on curly braces {} and double quotes " ", injecting raw JSON into a URL throws a security exception. percent-encoding perfectly flattens the JSON tree for safe transmission.

Common Percent Conversion References

Reserved Character	Hexadecimal Code	Dangerous Implication
Space ( )	%20	Prematurely terminates the URL structure.
Ampersand (&)	%26	Creates a false secondary parameter split.
Question (?)	%3F	Falsely triggers the start of a query string.
Hash (#)	%23	Falsely triggers an anchor jump on the client side.

Frequently Asked Questions

What is the difference between URL Encode and encodeURI()?

In Javascript, encodeURI() is used for whole links and intentionally ignores characters like '?' and '&' assuming they are part of the structure. Our tool natively implies encodeURIComponent(), which aggressively encodes absolutely everything, making it perfect for parameter values.

Can percent-encoding corrupt my email attachments?

Yes. If you attempt to link a user to download a PDF, but the PDF's file name contains raw spaces (e.g., Financial Report 2026.pdf), standard email clients will often break the link at the space. You must always percent-encode file names hosted on public Amazon S3 or Azure servers.

Anatomy of a URL: What Gets Encoded?

A URL is composed of distinct functional zones. Only specific zones require percent-encoding — encoding the wrong zone breaks routing entirely.

Scheme

https://

Host

example.com

Path

/products/

Query ← encode THIS

?q=summer%20sale&sort=price%3Aasc

Fragment

#results

Never encode — fixed protocol

Host uses Punycode (IDN), not percent-encoding

Encode spaces in path segments

Encode ALL query param values

Fragments are client-only — not sent to server

The Double-Encoding Trap

The most common URL handling bug is encoding an already-encoded string. Here's exactly what happens at each layer:

RawSummer Sale 2026

1× OKSummer%20Sale%202026

2× BADSummer%2520Sale%25202026

The second pass encodes the % character itself into %25, corrupting the string entirely. The server receives the literal text %20 instead of a space. Always decode the string first before re-encoding if you are unsure of its current state.

encodeURI vs encodeURIComponent

JavaScript ships with two built-in encoding functions. Using the wrong one is one of the most common beginner mistakes in API integration work.

encodeURI(url)

Designed for entire URLs. Deliberately skips encoding of structural characters like :// / ? = & # because it assumes they are part of the URL structure. Use when encoding a full URL to pass as a redirect parameter.

encodeURIComponent(value)

Encodes everything including ? & = / :. Use this for individual query parameter values. This is what Kodivio's engine applies — the safest choice for encoding user-input data, API keys, and JSON payloads.

Security Implications

Open Redirect Attacks

Attackers craft URLs like /redirect?url=https%3A%2F%2Fevil.com. If your server decodes and blindly follows the redirect target, users get sent to phishing sites. Always whitelist allowed redirect domains.

SQL Injection via URLs

Raw query params like ?id=1' OR '1'='1 can trigger SQL injection if the server doesn't sanitize inputs. Percent-encoding the apostrophe to %27 doesn't protect against injection — that requires parameterized queries server-side.

Canonicalization Attacks

Security filters sometimes check the raw URL before decoding. An attacker might bypass a rule blocking /admin by requesting /%61dmin (where %61 = 'a'). Secure servers must decode and normalize paths before applying access control logic.

Feedback

Live