URL & HTML Encoding Explained (With Examples)

Two different problems get called "encoding" on the web: making text safe inside a URL, and making text safe inside HTML. They look similar but solve different problems — here's what each one actually does.

Published July 3, 2026 · 7 min read · Developer

What Is Percent-Encoding (and Why URLs Need It)

URLs can only safely contain a limited set of characters — letters, digits, and a handful of symbols. Anything else (spaces, accented letters, &,=) has to be replaced with a % followed by two hexadecimal digits representing that character's byte value. A space becomes %20, an ampersand becomes %26. This is called percent-encoding, and it's what "URL encoding" means in practice.

Without it, a search query like coffee & tea would break the URL, since & is the character that separates query parameters. Encoded, it becomes coffee%20%26%20tea — safe to pass as a single value.

encodeURIComponent vs encodeURI vs escape

JavaScript has three built-in functions that look similar but behave differently:

  • encodeURIComponent() — encodes everything except letters, digits, and - _ . ! ~ * ' ( ). Use this for a single query parameter value, since it also encodes & = ? / — the characters that would otherwise break the URL structure.
  • encodeURI() — leaves URL structure characters intact (: / ? # [ ] @) so a complete URL stays navigable. Use this only when encoding an entire URL, not a piece of one.
  • escape() — deprecated, handles Unicode incorrectly. Don't use it in new code; it's kept only for legacy compatibility.

The most common bug: using encodeURI() on a query parameter value. If that value contains & or =, they won't get encoded — and they'll be misread as new parameters, silently corrupting the URL.

How to URL-Encode or Decode Online

ToolLance's URL Encoder & Decoder runs both encodeURIComponent and encodeURI modes, decodes both %20 and + as spaces, and includes a query string inspector that parses a full URL into a readable table of decoded key-value pairs — useful when you're staring at a long tracking URL and need to see what's actually in it. Everything runs locally in your browser; nothing is sent to a server.

What Is HTML Entity Encoding?

HTML encoding solves an entirely different problem: characters that have special meaning inside HTML markup. If you print a user's comment containing <script> directly into a page, the browser interprets it as an actual script tag — this is the basis of Cross-Site Scripting (XSS) attacks. HTML encoding converts those characters into entities that display as text instead: < becomes &lt;, and the browser shows the literal characters rather than executing them as markup.

This is exactly what PHP's htmlspecialchars() does, what Python's html.escape() does, and what every templating engine's auto-escaping does behind the scenes.

The 5 Characters You Must Always Encode

Five characters have special meaning in HTML and should always be encoded when inserting untrusted text into a page:

  • & (ampersand) → &amp; — encode this one first, or you'll double-encode the ampersand inside other entities
  • < (less-than) → &lt;
  • > (greater-than) → &gt;
  • " (double quote) → &quot;
  • ' (single quote) → &apos;

Named vs Decimal vs Hex Entities

The same character can be written three ways, and all three render identically:

  • Named: &copy; — readable, but not every character has a name
  • Decimal: &#169; — the Unicode code point in base 10, works for any character
  • Hex: &#xA9; — the Unicode code point in hexadecimal, common in XML contexts

Use ToolLance's HTML Encoder / Decoder to convert between all three, decode entities back to plain text, or strip HTML tags entirely — all five encoding modes (essential, named, decimal, hex, attribute-safe) run instantly in your browser.

When You Need Both Encodings Together

A common real-world case: embedding a URL inside an HTML attribute, like href="...". If the URL itself contains a value with special characters, you URL-encode that value first (so the URL structure stays intact), then HTML-encode the complete URL string before inserting it into the attribute (so it doesn't break out of the quotes). Each encoding step protects a different layer — skipping either one can break the link or open an injection vulnerability.

Try both encoders now
Free, browser-based, nothing uploaded — no signup

Frequently Asked Questions

What is percent-encoding (URL encoding)?

It replaces characters that aren't allowed in a URL with a % and two hex digits. A space becomes %20, an ampersand becomes %26.

What is the difference between encodeURIComponent and encodeURI?

encodeURIComponent encodes almost everything and is for a single parameter value. encodeURI leaves URL structure characters intact and is for encoding a full URL.

What is HTML entity encoding?

It converts characters like < and & into safe entities so browsers render them as text instead of markup — the same thing PHP's htmlspecialchars() does.

Do I need both URL encoding and HTML encoding?

Sometimes — e.g. embedding a URL inside an href attribute: URL-encode the value first, then HTML-encode the result before inserting it into the attribute.

Why does my URL show %20 sometimes and + other times for spaces?

%20 is the standard encoding and works everywhere. + represents a space specifically in form-submission encoding. Both decode back to a space correctly.