Loading...
Loading...
Free online URL and HTML entity encoder/decoder. Encode and decode URL parameters and HTML entities. Prevent XSS attacks and broken links.
URL encoding (also called percent-encoding) and HTML entity encoding are two fundamental encoding schemes in web development. URL encoding ensures that special characters are safe for use in URLs, while HTML entity encoding prevents special characters from being interpreted as HTML markup.
URL encoding replaces non-alphanumeric characters with a percent sign (%) followed by two hexadecimal digits representing the character's UTF-8 byte value. For example, a space becomes %20, and a slash (/) becomes %2F. Reserved characters like ?, &, =, # have special meaning in URLs and must be encoded when they appear as part of data rather than syntax.
URL encoding is needed for: query parameters containing spaces or special characters, user-generated content in URLs, file names with non-ASCII characters, and constructing API calls with complex parameters. encodeURIComponent() in JavaScript handles this automatically.
HTML entity encoding prevents text content from being interpreted as HTML tags. Without encoding, user-submitted text like '<script>' would execute as JavaScript (XSS attack). HTML entities use named (& for &, < for <, > for >, " for ") or numeric (") representations. Always encode user-generated content before rendering it in HTML.
Common encoding pitfalls: double-encoding (encoding already-encoded text corrupts it), forgetting to encode when constructing URLs dynamically, and using the wrong encoding function (encodeURI vs encodeURIComponent — the former does not encode all characters). This tool helps verify your encodings are correct.
All characters except A-Z, a-z, 0-9, -, _, ., ~ must be encoded in URL query parameters. In the URL path, / and @ also do not need encoding. Spaces should be encoded as %20 (not +) in URL paths, while + is acceptable in query strings.
URL encoding (%xx) makes text safe for URLs. HTML encoding (&) makes text safe for HTML documents. They serve different purposes — a URL containing & would be incorrect, and HTML containing %20 would not display a space. Use the appropriate encoding for each context.
Always HTML-encode user-generated content before inserting it into HTML. Never use innerHTML or dangerouslySetInnerHTML with untrusted content. Use textContent or React's default JSX escaping (which encodes automatically) instead of dangerously setting HTML.