URL-Decoder
Dekodieren Sie URL-kodierten Text in lesbare Zeichen zum Debuggen von Links
What is URL Decoding (Percent-Decoding)?
URL decoding — formally called percent-decoding — reverses the percent-encoding process defined in
RFC 3986. It takes a string containing percent-encoded sequences like %20, %3A,
or %E2%9C%93 and reconstructs the original characters they represent. This operation is
essential when debugging HTTP requests, inspecting query parameters from server logs, analyzing redirect
chains, or extracting human-readable text from encoded URLs pasted into chat or documentation. Unlike
encoding (which always succeeds for any input), decoding can fail when the input contains malformed
percent sequences, incomplete multi-byte characters, or invalid hexadecimal digits — making robust error
handling a critical concern for any decoding tool.
How Percent-Decoding Works
The percent-decoding algorithm scans the input string character by character. When it encounters a
percent sign (%) followed by exactly two hexadecimal digits (0–9, A–F, a–f), it
converts that three-character sequence into the corresponding byte value. For example,
%20 becomes byte 0x20 (space), %2F becomes 0x2F (forward slash), and
%C3%A9 becomes the two-byte UTF-8 sequence for "é". Characters that are not preceded
by a percent sign pass through unchanged, and the plus sign (+) is optionally
interpreted as a space in the application/x-www-form-urlencoded format used by HTML
forms — a legacy convention that predates RFC 3986.
Once all percent sequences are converted to raw bytes, the resulting byte sequence is interpreted
as UTF-8 text. This two-stage process — percent-to-bytes then bytes-to-characters — is why
multi-byte Unicode characters produce multiple percent-encoded triplets: the Japanese character "日"
is encoded as %E6%97%A5 (three bytes in UTF-8), and decoding must reassemble all three
before interpreting the character. Truncating the sequence at %E6%97 would produce a
URIError because the byte sequence is not valid UTF-8.
Malformed Input and URIError Handling
Decoding is inherently more error-prone than encoding because malformed input can produce undefined
results. The JavaScript decodeURIComponent() function throws a URIError
when it encounters sequences that cannot be interpreted as valid UTF-8. Common failure scenarios include:
- Incomplete percent triplet: A percent sign followed by fewer than two hex digits (e.g.,
%2or%at end of string) is syntactically invalid and produces a URIError. - Invalid hex digits: Sequences like
%GHor%ZZcontain characters outside the hexadecimal range and cannot be decoded. - Broken UTF-8 sequences: Bytes like
%C3without their continuation byte produce invalid UTF-8 that the decoder cannot interpret as any character. - Lone surrogate halves: Sequences encoding UTF-16 surrogates (U+D800 to U+DFFF) are invalid in UTF-8 and are rejected by compliant decoders.
This tool wraps decoding in proper error handling, catching URIError exceptions and
reporting the exact position and nature of the malformed sequence. Rather than silently dropping
undecodable bytes or replacing them with the Unicode replacement character (U+FFFD), it highlights
the problematic segment so you can fix the source of the encoding error.
Detecting and Resolving Double-Encoding
Double-encoding is one of the most common bugs in web applications that handle URLs. It occurs when
an already-encoded string is passed through an encoding function a second time, turning
%20 into %2520 (the percent sign itself gets encoded). Symptoms of
double-encoding include:
- URLs that display
%2520instead of spaces in browser address bars - Query parameters containing
%253Dinstead of=signs - Redirect URLs that 404 because the path contains literal
%2Fsequences decoded once to/but the server expects a single decode - API responses where JSON string values contain
%22instead of quote characters
To diagnose double-encoding, decode the string once and inspect the result. If the output still
contains percent-encoded sequences (matches the pattern %[0-9A-Fa-f]{2}), the original
was likely double-encoded. Decode again and compare. This tool makes this workflow easy by showing
the decoded output immediately — if you see remaining percent sequences, paste the output back for
a second decode pass. In production code, implement detection by checking if the decoded output
still contains valid percent-encoded sequences and decode iteratively until stable.
decodeURIComponent vs decodeURI: Choosing the Right Function
JavaScript provides two built-in decoding functions with important differences.
decodeURI() decodes a full URI but preserves characters that have special meaning in
URI syntax: # $ & + , / : ; = ? @. It is designed for decoding complete URLs
where you want the structure to remain intact. decodeURIComponent() decodes everything,
including those reserved characters — it is designed for decoding individual URI components like
a query parameter value or a path segment.
Using the wrong function leads to subtle bugs. If you pass a full URL to
decodeURIComponent(), encoded slashes (%2F) in the path become literal
slashes, potentially changing the URL's routing semantics. Conversely, if you use
decodeURI() on a query parameter value that legitimately contains an encoded ampersand
(%26), it decodes it to & — splitting what should be a single
parameter into two. This tool applies decodeURIComponent() by default because the most
common use case is decoding individual values extracted from URLs, but understanding when to use
each function prevents data corruption in your application code.
Debugging Encoded URLs in Real-World Scenarios
URL decoding is a critical step in several debugging workflows that developers encounter daily:
- Server log analysis: Web server access logs record request URIs with percent-encoding intact. Decoding reveals the actual search queries, file names, and parameter values users submitted.
- Redirect chain inspection: OAuth flows and SSO systems pass callback URLs as encoded parameters within other URLs. Decoding each layer reveals the full redirect chain and helps identify where authentication failures originate.
- Deep link debugging: Mobile deep links and universal links encode complex parameters (JSON payloads, nested URLs) that must be decoded to verify correctness.
- SEO audit: Crawlers may report URLs with encoded characters differently than browsers display them. Decoding canonical URLs confirms whether duplicates are true duplicates or encoding variations.
- Webhook payload inspection: Form-encoded webhook bodies from payment processors, CRM systems, and notification services arrive as percent-encoded key-value pairs that need decoding to read.
This tool handles all these scenarios by accepting any percent-encoded input — whether it is a complete URL, a single query parameter value, or a form-encoded request body — and producing the decoded human-readable result with clear error reporting for any malformed segments.
Code Examples
Safe URL decoding with URIError handling in JavaScript
// Safe decode that catches malformed sequences
function safeDecode(encoded) {
try {
return { success: true, value: decodeURIComponent(encoded) };
} catch (e) {
if (e instanceof URIError) {
return { success: false, error: 'Malformed percent-encoding: ' + e.message };
}
throw e;
}
}
// Decode with double-encoding detection
function decodeWithDetection(input) {
const first = safeDecode(input);
if (!first.success) return first;
// Check if result still contains percent-encoded sequences
const hasEncoded = /%[0-9A-Fa-f]{2}/.test(first.value);
if (hasEncoded) {
const second = safeDecode(first.value);
return {
...second,
wasDoubleEncoded: true,
intermediateValue: first.value
};
}
return { ...first, wasDoubleEncoded: false };
}
// Examples
console.log(safeDecode('hello%20world'));
// → { success: true, value: "hello world" }
console.log(safeDecode('%E2%9C%93'));
// → { success: true, value: "✓" }
console.log(decodeWithDetection('hello%2520world'));
// → { success: true, value: "hello world", wasDoubleEncoded: true }Parsing form-encoded request body
// Decode application/x-www-form-urlencoded body
function parseFormBody(body) {
const params = {};
for (const pair of body.split('&')) {
const [rawKey, ...rawValues] = pair.split('=');
const key = decodeURIComponent(rawKey.replace(/\+/g, ' '));
const value = decodeURIComponent(rawValues.join('=').replace(/\+/g, ' '));
params[key] = value;
}
return params;
}
const body = 'name=John+Doe&city=S%C3%A3o+Paulo&q=a%26b%3Dc';
console.log(parseFormBody(body));
// → { name: "John Doe", city: "São Paulo", q: "a&b=c" }Standards & Specifications
- RFC 3986 §2.1 — Defines percent-encoding and percent-decoding rules for URI characters
- WHATWG URL Standard — Specifies the percent-decode algorithm used by web browsers and the URL API
Häufig Gestellte Fragen
What is URL decoding?
URL decoding converts percent-encoded characters back to their original form. It transforms sequences like %20 back into spaces and %3D back into equals signs, making URLs human-readable again.
When should I decode URLs?
Decode URLs when you need to read query parameters, analyze URL data, or convert encoded URLs back to readable text. This is useful for debugging, logging, or displaying URLs to users.
Can I decode URLs multiple times?
Yes, but be careful. Some URLs are double-encoded (encoded twice), so you might need to decode multiple times. However, decoding a non-encoded URL won't cause errors—it will just return the same text.
Is my data sent to a server?
No, all URL decoding happens in your browser. Your data never leaves your device. This ensures complete privacy and security for sensitive information.