URL Encode/Decode

URL encoding and decoding (percent-encoding). Essential tool for web development and security testing.

Free Tool Client-side RFC 3986

Encode component (encodeURIComponent) Spaces as +

Text to Encode

Result (URL-encoded)

Encoding Reference

␣

%20

%21

%22

%23

%24

%25

%26

%27

(

%28

)

%29

%2A

%2B

%2C

%2F

%3A

;

%3B

%3D

%3F

%40

[

%5B

]

%5D

%3C

%3E

{

%7B

About URL Encoding

What is it?

URL encoding (percent-encoding) replaces unsafe characters with %XX, where XX is the hex code of the character.

Pentesting Use Cases

• XSS payload encoding
• SQL injection bypass
• Path traversal (..%2F)
• Parameter tampering
• WAF bypass

Function Differences

encodeURI()

Does not encode: ; / ? : @ & = + $ , #

encodeURIComponent()

Encodes all except: A-Z a-z 0-9 - _ . ! ~ * ' ( )

Double Encoding

For WAF bypass, double encoding is sometimes used: %253C instead of %3C (<)