RSS Feed Subscribe to RSS Feed


URL Encoding

URL encoding, also known as percent encoding, takes certain “reserved” characters and standardizes (or canonicalizes) them.

Why? This is normally done when transmitting data in html forms. For example, the # character has a special purpose in html (as an html anchor) and so is converted to make it clear that it is part of that data, not part of the html document where it is to be displayed.

Another (related) use is for prevention of XSS attacks. If your web page allows a user to enter text (for example, a comments box on a blog), it would be very easy for a motivated user to enter malicious text that will be interpreted as a script.

What does Url Eocnding look like? Each reserved character has a percent-encoding equivalent. For example, / (forward slash) becomes %2F and : (colon) becomes %3A. For more, see here.

So, the url would become

A real world example would be if on the aforementioned blog, instead of entering a banal comment such as “Great post!”, the user instead enters

<script type='text/javascript'>alert('xss');</script>

Instead of displaying this text, a browser may well interpret it as code and run it. So, such user entered text is encoded to ensure that it is transmitted and displayed as data, not interpreted and run as part of the page. It would end up being transported as something like


It would then be decoded before being displayed as intended and not cause any issues.


In Java, a common was to encode is to use the ESAPI libraries. See and

If you encode on the server side, you may need to decode on the client side too. Fortunately JavaScript has built in capabilities to do this. For example decodeURIComponent().

For a working example of encoding server side, and decoding on the client see, see this sample Spring boot project:


Tags: , , , ,

Leave a Reply