URL Encoding (Percent-Encoding): How Browsers Handle Special Characters

Introduction

URLs can only contain a limited set of characters. But what if your query contains spaces or symbols like ? and &? That’s where percent encoding (URL encoding) comes in.

👉 Try encoding text: Free Online Utils – URL Encoder/Decoder

---

The Problem

• URLs must comply with RFC 3986.
• Reserved characters (?, #, &, /) have special meaning.
• Non-ASCII characters (e.g., 你好) must also be encoded.

---

How Percent-Encoding Works

Each byte outside the allowed set is replaced with %HH (hexadecimal).

Examples:

• Space → %20
• ? → %3F
• & → %26

---

Code Examples

Python

import urllib.parse
print(urllib.parse.quote("hello world?&"))
# hello%20world%3F%26

Javascript

encodeURIComponent("hello world?&");
// "hello%20world%3F%26"

Applications

• Query strings in HTTP requests.
• Form submissions (application/x-www-form-urlencoded).
• Handling Unicode characters in URLs.

Pitfalls

• Double encoding attacks (%2520 vs %20).
• Inconsistent decoding across libraries.
• Security issues in web apps (injection vectors).

References

• RFC 3986: Uniform Resource Identifier (URI)