URL
Complete Guide to URL Special Characters
Master URL special characters and encoding rules. Learn which characters need encoding and common pitfalls.
Introduction
Special characters in URLs can cause parsing errors, security vulnerabilities, and unexpected behavior. Understanding which characters are safe and how to handle unsafe ones is crucial for web development.
This guide covers all special characters you need to know about in URLs.
URL Structure
A URL is composed of several parts:
https://user:pass@example.com:8080/path/to/page?key=value&foo=bar#section
├─ scheme: https
├─ userinfo: user:pass
├─ host: example.com
├─ port: 8080
├─ path: /path/to/page
├─ query: key=value&foo=bar
└─ fragment: sectionReserved Characters
These characters have special meaning in URLs and must be encoded when used as data:
| Character | Purpose | Encoded | Example |
|---|---|---|---|
| : | Scheme/port delimiter | %3A | http://example.com |
| / | Path separator | %2F | /path/to/file |
| ? | Query string start | %3F | /page?query=value |
| # | Fragment identifier | %23 | /page#section |
| [ | IPv6 delimiter | %5B | [::1] |
| ] | IPv6 delimiter | %5D | [::1] |
| @ | Userinfo delimiter | %40 | user@host |
Query String Special Characters
These characters have special meaning in query strings:
| Character | Purpose | Encoded |
|---|---|---|
| & | Parameter separator | %26 |
| = | Key-value separator | %3D |
| + | Space (alternative) | %2B |
// Query string structure
?key1=value1&key2=value2&key3=value3
↑ ↑ ↑ ↑ ↑ ↑
start = & = & =
// When these appear in values, encode them:
?search=A%26B // search = "A&B"
?math=2%2B2%3D4 // math = "2+2=4"Unsafe Characters
Always encode these characters:
- Space → %20 (or + in query strings)
- " → %22
- < → %3C
- > → %3E
- { → %7B
- } → %7D
- | → %7C
- \ → %5C
- ^ → %5E
- ` → %60
Safe (Unreserved) Characters
These characters never need encoding:
- Letters: A-Z, a-z
- Digits: 0-9
- Hyphen: -
- Underscore: _
- Period: .
- Tilde: ~
// These are always safe
https://example.com/My_File-2024.pdf
https://example.com/~username/profileCommon Problems
1. Spaces in URLs:
// Wrong
https://example.com/my file.pdf
// Correct
https://example.com/my%20file.pdf2. Ampersands in Query Values:
// Wrong - will be parsed as two parameters
?company=Smith&Sons
// Correct
?company=Smith%26Sons3. Email Addresses:
// Wrong
?email=user@example.com
// Correct
?email=user%40example.comUnicode and International Characters
Non-ASCII characters must be UTF-8 encoded:
// Original
?city=Zürich
// UTF-8 encoded
?city=Z%C3%BCrich
// Original
?search=你好
// UTF-8 encoded
?search=%E4%BD%A0%E5%A5%BDSecurity Considerations
- XSS Prevention: Always encode user input in URLs
- SQL Injection: Encode before database queries
- Path Traversal: Encode ../ sequences
- Open Redirect: Validate redirect URLs
// Dangerous - potential XSS
?redirect=javascript:alert('XSS')
// Dangerous - path traversal
?file=../../etc/passwd
// Safe - encode user input
?search=%3Cscript%3Ealert%28%29%3C%2Fscript%3EBest Practices
- Always use encoding functions (don't manually encode)
- Encode at the right layer (client or server)
- Test with special characters: &, =, ?, #, %, space
- Validate and sanitize user input
- Use URL builders/libraries when available
- Log raw and encoded URLs for debugging
Try Our Tools
Explore our free online developer tools: