What Is %2C, %3F, %26 in URLs? Every Special Character Code Explained

If you have spent any time debugging URLs, you have seen these cryptic codes:

%2C  %3F  %26  %20  %23  %3D  %40  %2F  %25

They look like random noise. But each one maps to a specific character that has special meaning in a URL.

%2C  →  ,  (comma)
%3F  →  ?  (query start)
%26  →  &  (parameter separator)
%20  →    (space)
%23  →  #  (fragment)
%3D  →  =  (key-value separator)
%40  →  @  (at sign)
%2F  →  /  (path separator)
%25  →  %  (percent sign)

This reference covers every common percent-encoding code, explains why each character needs encoding, and shows how to decode them in every major language.

How Percent-Encoding Works

Percent-encoding converts unsafe bytes into a three-character sequence:

%  followed by two hexadecimal digits

For example, the space character has ASCII value 32, which is 20 in hex. So space becomes %20.

Character → ASCII Decimal → ASCII Hex → Encoded
space         32              20          %20
&             38              26          %26
?             63              3F          %3F

This encoding allows any byte value to be safely included in a URL, even if the original character would break URL parsing.

If you encounter an unknown code and need to identify it quickly, the URL Encoder/Decoder tool provides instant decoding.

Complete Reference Table

Reserved Characters

These characters have structural meaning in URLs and must be encoded when used as data.

CharacterCodeNameUsed For
%%25Percent signEscape character
:%3AColonScheme separator (https:)
/%2FForward slashPath separator
?%3FQuestion markQuery string start
#%23Hash/fragmentFragment identifier
&%26AmpersandParameter separator
=%3DEqualsKey-value separator
@%40At signUserinfo (email, auth)
$%24Dollar signReserved
+%2BPlus signSpace (form) or literal
,%2CCommaReserved
;%3BSemicolonReserved (path params)
%20SpaceInvalid in URLs

Common Punctuation

CharacterCodeNotes
!%21Often left unencoded in practice
"%22Double quote
'%27Single quote (apostrophe)
(%28Left parenthesis
)%29Right parenthesis
*%2AAsterisk
-%2DHyphen (safe character — usually not encoded)
.%2EPeriod (safe character — usually not encoded)
~%7ETilde (safe character — usually not encoded)
_%5FUnderscore (safe)

URL Structure Example

A URL like:

https://example.com/search?q=hello&page=1#results

broken down with percent codes:

https%3A//example.com/search%3Fq%3Dhello%26page%3D1%23results
  • %3A = :
  • %3F = ?
  • %3D = =
  • %26 = &
  • %23 = #

Character-by-Character Breakdown

%20 — Space

The most common percent code. Spaces are not allowed in URLs.

encodeURIComponent("hello world");
// hello%20world

Some systems use + for spaces instead. See the Space Encoding guide for details.

%26 — Ampersand (&)

The ampersand separates query parameters. If your data contains &, it must be encoded.

?q=laptops & tablets

Without encoding, the server sees two parameters: q=laptops and tablets=. Encode it as %26.

%3D — Equals Sign (=)

The equals sign separates keys from values in query strings. If a value contains =, encode it.

?filter=type=electronics

Becomes ambiguous. The server may see filter=type and electronics= as separate. Encode = as %3D.

%3F — Question Mark (?)

The question mark starts the query string. A literal ? inside a path or value must be encoded.

/path?q=hello?world

The second ? breaks parsing. Encode it as %3F.

%23 — Hash (#)

The hash sign starts the URL fragment. Everything after # is not sent to the server. If your data contains #, it must be encoded as %23 or the fragment is silently dropped.

%2F — Forward Slash (/)

The forward slash separates path segments. A slash inside a single path segment or query value should be encoded.

/products/laptops/2024

If laptops/2024 is a single product identifier, the / must be %2F or the server interprets it as a deeper path.

%40 — At Sign (@)

The at sign separates userinfo from the host in a URL. In query parameters, encode it as %40.

?email=user@example.com

While many servers handle this correctly, @ after the host can be misinterpreted, so encoding is safer.

%25 — Percent Sign (%)

The percent sign is the escape character itself. To include a literal %, encode it as %25.

This is also why double encoding creates %2520 — the % becomes %25, and the 20 stays, giving %2520.

%2B — Plus Sign (+)

The plus sign represents a space in form-urlencoded data. A literal plus sign must be encoded as %2B.

encodeURIComponent("C++");
// C%2B%2B

%2C — Comma (,)

Commas are technically reserved but often appear unencoded in URLs. Some APIs use commas as value separators:

?tags=js,node,react

If your API uses commas as delimiters, you need to encode literal commas in values.

%3B — Semicolon (;)

Semicolons are reserved for path parameters in some specifications. Most modern web frameworks ignore this, but encoding ; is safest.

%3A — Colon (:)

Colons separate the scheme from the rest of the URL (https:). Inside path segments or values, encode as %3A.

Unicode and UTF-8 Percent Codes

Non-ASCII characters are encoded as their UTF-8 byte sequences.

CharacterEncoded
é%C3%A9
ñ%C3%B1
%E2%82%AC
東京%E6%9D%B1%E4%BA%AC
🔥%F0%9F%94%A5

Each multi-byte UTF-8 character becomes multiple percent-encoded bytes.

from urllib.parse import quote

print(quote("東京"))   # %E6%9D%B1%E4%BA%AC
print(quote("🔥"))     # %F0%9F%94%A5

How to Decode Percent Codes

JavaScript

decodeURIComponent("%E6%9D%B1%E4%BA%AC");
// 東京

Python

from urllib.parse import unquote

unquote("%E6%9D%B1%E4%BA%AC")
# 東京

Java

import java.net.URLDecoder;

URLDecoder.decode("%E6%9D%B1%E4%BA%AC", "UTF-8");
// 東京

C#

using System.Web;

HttpUtility.UrlDecode("%E6%9D%B1%E4%BA%AC");
// 東京

curl / Bash

# No built-in decode, but printf can decode
printf '%b' '\u6771\u4eac'
# 東京

Or use a URL decode tool for interactive debugging.

Detecting and Debugging Double Encoding

Double encoding is identifiable by the %25 pattern:

%20  →  %2520  (space double-encoded)
%26  →  %2526  (ampersand double-encoded)
%3F  →  %253F  (question mark double-encoded)

If you see %25 anywhere in your URL, the value has been encoded at least twice.

Example:

redirect=https%253A%252F%252Fexample.com

Decode once:

decodeURIComponent("https%253A%252F%252Fexample.com")
// https%3A%2F%2Fexample.com

Decode twice:

decodeURIComponent("https%3A%2F%2Fexample.com")
// https://example.com

Quick Reference Card

For quick lookup during debugging, here is a compact reference:

CodeCharName
%20spaceSpace
%21!Exclamation
%22"Double quote
%23#Hash/Fragment
%24$Dollar
%25%Percent
%26&Ampersand
%27'Apostrophe
%28(Left paren
%29)Right paren
%2A*Asterisk
%2B+Plus
%2C,Comma
%2D-Hyphen
%2E.Period
%2F/Forward slash
%3A:Colon
%3B;Semicolon
%3C<Less than
%3D=Equals
%3E>Greater than
%3F?Question mark
%40@At sign
%5B[Left bracket
%5C\Backslash
%5D]Right bracket
%5E^Caret
%5F_Underscore
%60`Backtick
%7B{Left brace
%7C``
%7D}Right brace
%7E~Tilde

Best Practices

Never Trust User Input

Always encode user-provided strings before inserting them into URLs. Assume they contain special characters.

Distinguish Between Encoded and Raw State

// Track whether data is raw or encoded
const RAW = Symbol("raw");
const ENCODED = Symbol("encoded");

function markRaw(value) {
  return { [RAW]: value };
}

function markEncoded(value) {
  return { [ENCODED]: value };
}

Validate URLs by Decoding

A well-formed encoded URL should decode cleanly:

function validateEncodedUrl(url) {
  try {
    const decoded = decodeURIComponent(url);
    const reencoded = encodeURIComponent(decoded);
    return url === reencoded || url === encodeURI(decoded);
  } catch {
    return false;
  }
}

Know Your Codes

The most common codes to recognize on sight:

%20 (space)  %26 (&)  %3D (=)  %3F (?)  %23 (#)
%2F (/)  %40 (@)  %25 (%)  %2B (+)

If you see these in a URL, you know exactly which characters they represent.

Related Resources

For deeper dives into specific encoding topics:

FAQ

What does %20 mean in a URL?

%20 is the percent-encoded representation of a space character. The 20 is the hexadecimal value of the space character's ASCII code (32).

What does %26 mean in a URL?

%26 represents the ampersand character (&). Ampersands must be encoded in query values because they normally separate parameters.

What does %3F mean in a URL?

%3F represents the question mark character (?). Question marks must be encoded in values because they normally indicate the start of a query string.

What does %23 mean in a URL?

%23 represents the hash character (#). Hashes must be encoded in values because they normally indicate the start of a URL fragment.

What does %25 mean in a URL?

%25 represents the percent character (%). The percent sign must be encoded because it is the escape character for percent-encoding itself.

How do I decode percent codes?

Use decodeURIComponent() in JavaScript, unquote() in Python, URLDecoder.decode() in Java, or HttpUtility.UrlDecode() in C#.

How can I tell if a URL is double-encoded?

Look for %25 — that indicates the % character itself was encoded. For example, %2520 is %20 double-encoded.

What character does %40 represent?

%40 represents the at sign (@), commonly seen in email addresses embedded in URLs.

What character does %2F represent?

%2F represents the forward slash (/), the path separator in URLs.

Are percent codes case-sensitive?

%2F and %2f are both valid and represent the same character. However, uppercase hex digits are more common and canonical.

Final Thoughts

Percent-encoding codes look cryptic at first glance, but they follow a simple, consistent pattern. Each %XX sequence is just a hexadecimal byte value. Once you learn a few common codes, you can read encoded URLs by sight and spot encoding bugs immediately.

Keep this reference handy — or better yet, bookmark the URL Encoder/Decoder tool for interactive encoding and decoding during debugging.