URL Decoding FAQ

URL decoding, answered.

Twenty-five questions on percent-decoding — from what it is and how to do it in JavaScript, Python, Java, and Go, to fixing garbled text, double-encoding, and the SEO and security side of URL encoding. Need the tool? Open the URL decoder.

Foundations

What is URL decoding?

URL decoding — also called percent-decoding — is a mechanism defined in RFC 3986 that reverses URL encoding. It reads the %XX hexadecimal sequences in a string and converts them back into the characters they represent: %20 becomes a space, %3F becomes a question mark. It turns a machine-safe URL back into readable text.

Why do web applications need URL encoding and decoding?

HTTP request lines are limited to a safe range of ASCII characters. Special characters, non-English text, and emoji would break that syntax if placed raw into a URL. Encoding converts them into %XX sequences so the data passes cleanly through browsers, proxies, and servers; decoding reverses it on the other end so the original value is recovered.

What are RFC 3986 reserved vs unreserved characters?

RFC 3986 sorts characters into two groups. Unreserved characters — A–Z a–z 0–9 - _ . ~ — are always safe and never need encoding. Reserved characters — ? & = : / # and a few others — have structural meaning in a URL, so they must be encoded when they appear inside a value rather than as structure.

Does URL decoding provide any encryption or security?

No. URL decoding is a fully reversible format change with no secrecy at all — anyone can decode a percent-encoded string without a key. It exists only to let data travel safely inside a URL. For confidentiality, use HTTPS and proper encryption, and keep sensitive values out of the URL entirely.

Is URL decoding the same as URL escaping?

Yes — “percent-encoding,” “URL encoding,” and “URL escaping” all describe the same reversible scheme. One caveat: JavaScript’s old escape() / unescape() functions are not the same. They are deprecated and produce non-standard %uXXXX sequences for non-ASCII characters, so use encodeURIComponent / decodeURIComponent instead.

Can I use URL encoding to handle raw binary data?

You can, but it’s inefficient. Percent-encoding turns each unsafe byte into three characters (%XX), so in the worst case the output is about three times the input size (roughly +200%). For binary payloads, Base64 or Base64URL is cleaner because it only adds about 33% overhead.

Decoding in code

How do I URL-decode in JavaScript?

Use decodeURIComponent(string) for an individual query value, path segment, or fragment. Use decodeURI(string) only for a complete URL where you want to preserve structural characters like : and /. In most cases decodeURIComponent is what you want.

What causes “URIError: malformed URI sequence” in JavaScript?

decodeURIComponent() throws this when it hits a broken percent sequence — a % not followed by two valid hex digits (like abc%2), or bytes that don’t form a valid UTF-8 character. Validate or repair the source string before decoding. Pasting it into our decoder shows where the invalid sequence is instead of crashing.

How do I URL-decode in Python?

Use the urllib.parse module. urllib.parse.unquote(string) decodes standard percent-encoding; urllib.parse.unquote_plus(string) also converts + into spaces, which is what you want for form-encoded query strings.

How do I URL-decode in Java?

Use java.net.URLDecoder.decode(string, "UTF-8"). Always pass the character encoding explicitly — if you omit it, the platform may fall back to an unpredictable system default and produce garbled output.

How do I URL-decode in Go?

Use the net/url package. url.QueryUnescape(string) decodes percent-encoding and converts + to spaces (query semantics); url.PathUnescape(string) decodes without the +-to-space conversion, for path segments.

How do I decode percent-encoded values in SQL?

There’s no single standard SQL function. Approaches vary by engine — PostgreSQL can decode bytes with helpers like convert_from() combined with byte substitution, and many teams write a small user-defined function to sanitize logged URLs. If you’re just inspecting a value, it’s usually simpler to decode it in your application layer or in a tool than inside SQL.

Errors & debugging

Why does my decoded output show garbled characters like café?

That’s a character-set mismatch: the bytes were encoded in one charset (often Windows-1252 or ISO-8859-1) but you’re decoding them as UTF-8. Pick the correct source charset. Our decoder supports 50+ charsets — try Windows-1252 or ISO-8859-1 for legacy Western data, Shift_JIS for old Japanese, GBK for old Chinese, KOI8-R for old Russian.

What is double-encoding, and how do I fix it?

Double-encoding is encoding a string that was already encoded, so %20 becomes %2520 (the % itself becomes %25). To read it, decode twice — or tick “Decode recursively” in our decoder, which peels off every layer in one pass. To prevent it, find the code that’s encoding an already-encoded value and remove that second pass.

Why are plus signs turning into spaces unexpectedly?

Because of the form-encoding convention (application/x-www-form-urlencoded), where + means space. If you’re decoding a path segment where + is a literal plus, turn off the “Treat + as space” option before decoding, or your real plus signs will wrongly become spaces.

Why did encoding a whole URL cause 404 errors?

You encoded the URL’s structure along with its data. Running an encoder over a full URL turns https://example.com/ into https%3A%2F%2Fexample.com%2F, which no server can route. Encode only the individual dynamic values — a single query value or path segment — then assemble the URL around them.

What triggers a “431 Request Header Fields Too Large” error?

Often a filter or faceted-navigation UI that re-encodes the whole query string on every click. Each pass turns % into %25, so a value balloons (%253A%25253A → …) until it exceeds the server’s header-size limit. Fix: keep filter state as plain values in memory and rebuild the query string from scratch each time instead of re-encoding the live URL.

Can percent-encoding hide malicious input?

Yes. Attackers sometimes double-encode characters — for example ../ as %252e%252e%252f — to slip path-traversal or injection payloads past a firewall that only checks the once-decoded form. When reviewing suspicious URLs, decode recursively to fully unwrap the string and see what it really contains before trusting it. A decoder only reveals the value; it never executes anything.

SEO & URL structure

How do broken URL parameters hurt SEO crawl budget?

If navigation code generates endless malformed or nested query strings — for example infinite filter combinations — crawlers can get stuck scanning countless near-duplicate URLs. That wastes crawl budget and slows indexing of your real content. Keep parameters clean and canonical, and block or canonicalize filter permutations.

What encoding should I use for multilingual URLs?

UTF-8 percent-encoding, which is what Google recommends for non-ASCII URLs. A path like /gemüse should encode as /gem%C3%BCse. UTF-8 keeps international URLs portable and correctly indexed across platforms.

Why do %C3%A9 and %c3%a9 cause duplicate-content issues?

RFC 3986 says the hex digits are case-insensitive, so both decode to the same character — but many servers and analytics tools treat the raw strings as distinct keys. That means /caf%C3%A9 and /caf%c3%a9 can be indexed as two separate pages, splitting link equity. Normalize to one case at your CDN or proxy and set a canonical tag. See our troubleshooting guide for the full fix.

What happens if I don’t encode a # in a tracking URL?

The browser treats # as the start of a fragment and never sends anything after it to the server. An unencoded # in the middle of a campaign or token value means everything after it is dropped, silently stripping your attribution parameters. Encode it as %23 when it’s data, and build query strings with URLSearchParams rather than string concatenation.

Privacy & large inputs

Is it safe to paste data into an online decoder?

It depends whether the tool processes input on a server or locally. urlencodedecode.com decodes entirely in your browser with client-side JavaScript — your input never leaves the tab, and the tool keeps working even if you go offline. That makes it safe for URLs containing tokens or other sensitive values. Always check that any tool you use is client-side before pasting sensitive data.

How much text can a browser-based decoder handle?

Ordinary URLs and even long lists decode instantly. Very large inputs — think multi-megabyte log dumps — can slow or freeze a browser tab, since everything runs in memory on your machine. For everyday URLs and batches of them you’ll never hit a limit; for huge files, a command-line tool is a better fit.

When should I use a command-line tool instead?

For very large files — big server logs or database exports — command-line utilities stream data line by line and aren’t constrained by browser memory. Python’s urllib.parse in a short script, or shell tools, will process files that would overwhelm a browser tab. For interactive, one-off decoding, the browser tool is faster and needs no setup.

Sources & standards

The answers above rest on the primary web standards that define percent-encoding, plus the official language documentation for the decode functions named:

Honest scope: the SQL and browser-memory notes describe general engine and environment behaviour, not anything fixed by a standard — treat those as practical guidance rather than spec-defined rules. The security answers describe how attackers use encoding; they aren’t an endorsement of any technique.

Related

Try the tool.

About this page

Written and maintained by the urlencodedecode.com team. Every technical claim on this page is verified against primary sources — the RFCs (3986, 3629, 4648, 7578), the WHATWG URL Standard, and official vendor or language documentation — rather than second-hand summaries. When a source contradicts a common assumption, we follow the source and note the discrepancy. Corrections: contactus@urlencodedecode.com.