Understand URL encoding, decoding, query strings, reserved characters, and common bugs in links, APIs, and redirects.
URLs look like plain text, but not every character can travel safely inside them. Spaces, ampersands, question marks, slashes, equal signs, and non-ASCII characters can change meaning if they are not encoded correctly.
A URL Encoder helps convert text into a URL-safe form and decode it again for inspection.
This matters in APIs, search filters, redirect links, tracking parameters, OAuth flows, email links, and form submissions.
URL encoding replaces unsafe or reserved characters with percent-encoded values.
Example:
hello worldbecomes:
hello%20worldThe encoded form can travel safely in a URL without the space breaking the link.
Some characters have special meaning in URLs:
? starts the query string.& separates parameters.= separates key and value./ separates path segments.# starts a fragment.% begins an encoded sequence.If these characters are part of a value, encode them.
Example value:
red & blueQuery parameter:
color=red%20%26%20blueWithout encoding, the & may be interpreted as a parameter separator.
Query strings are a common source of bugs.
Bad:
/search?q=red & blueBetter:
/search?q=red%20%26%20blueWhen building URLs in code, use URL APIs instead of manual string concatenation whenever possible. They handle escaping more reliably.
Encoding prepares a value for a URL. Decoding makes an encoded value readable.
Use decoding when:
Be careful not to decode too many times. Double decoding can create security and routing bugs.
Forgetting ampersands. Values containing & break query strings.
Encoding the whole URL. Usually encode individual components, not the entire URL.
Double encoding. %20 becomes %2520, producing confusing output.
Mixing path and query rules. A slash in a path has different meaning than a slash inside a query value.
Ignoring Unicode. Names, cities, and titles may include non-ASCII characters.
Redirect parameters often contain full URLs:
/login?redirect=/dashboard?tab=billingThis can break because the nested ? has meaning. Encode the redirect value:
/login?redirect=%2Fdashboard%3Ftab%3DbillingAlways validate redirect targets on the server to avoid open redirect vulnerabilities.
When testing APIs with an API Tester, inspect encoded query parameters carefully.
Check:
Different APIs use different conventions for arrays and nested filters.
URL encoding keeps values from being mistaken for URL syntax. Encode components, decode for inspection, avoid double encoding, and use structured URL APIs when writing code.
Small encoding mistakes can turn a valid link into a confusing bug.