Document Workflow
Encode one URL query value without breaking the outer link
Encode a search term, callback, or nested redirect as one RFC 3986 query value while preserving the outer URL's parameter boundaries and literal plus signs.
Written and tested by SimpleWebUtilsPublished: Reviewed:
How this workflow was checked
This check paired the exact “Encode a nested search URL as one value” input with URL Encoder and Decoder. We followed “Keep the raw source value”, captured the result after “Choose the receiving convention”, and compared it with the example while treating “Including the outer key in the encoded value” and “Treating raw plus as space without checking” as explicit boundary questions.
Only the nested search URL was encoded, yielding the documented %3A, %2F, %3F, %20, and %26 sequences while leaving the outer parameter structure available to its receiver.
Problem
A query string uses `?`, `&`, `=`, `#`, `%`, and sometimes `+` as syntax. The same characters can also be data inside a search term, callback, filter, or redirect target. If a nested ampersand is pasted raw, it starts a new outer parameter; if an existing `%20` is encoded again, it becomes `%2520`; and if a literal plus is decoded with form rules, it can become a space. The reliable unit of work is one identified value, not an undifferentiated full URL.
Sources and standards
These authoritative references define the formats or security boundaries used in this workflow. Tool-specific verification is documented separately above.
- URL Living Standard
WHATWG
When to use this
- A `next`, `returnUrl`, `redirect_uri`, `callback`, or `state` parameter contains another complete URL.
- A search or filter value contains spaces, `&`, `=`, `#`, `%`, a literal `+`, Korean, Japanese, or emoji.
- A browser opens the link but the receiving application reads a truncated or split parameter value.
- A webhook, API client, OAuth flow, or QR destination needs one reproducible encoded value.
- You need to decide between RFC 3986 component rules and application/x-www-form-urlencoded form rules.
Steps
- Step 1
Keep the raw source value
Store an untouched copy of the exact parameter value before editing. Preserve leading or trailing spaces, literal plus signs, and any existing `%HH` sequences so you can compare later.
- Step 2
Separate the outer URL from the value
Use URL Parser or Query String Parser to identify the one key whose value is broken. Do not include the outer `key=` prefix or neighboring `&other=value` pair in the component input.
- Step 3
Choose the receiving convention
Use RFC 3986 Component for a normal query value or nested URL. Choose Form value only when the receiving system explicitly applies application/x-www-form-urlencoded rules, where raw `+` means space.
- Step 4
Encode the exact value once
Run one encode pass. Review the existing-percent warning instead of automatically encoding again; `%25` growth is evidence that another layer is being added.
- Step 5
Rebuild and parse the outer link
Place the encoded output after the original key, rebuild the full link, then parse it again. Confirm the outer query has the expected number of keys and the nested ampersands no longer split it.
- Step 6
Test the actual receiver
Open the link only in an authorized test environment and compare the value received by the application with the untouched source. Percent encoding does not validate the destination or protect secrets in the URL.
Example
Encode a nested search URL as one value
Input
https://app.example.com/search?q=jwt decoder&sort=recentOutput
https%3A%2F%2Fapp.example.com%2Fsearch%3Fq%3Djwt%20decoder%26sort%3DrecentCommon mistakes
Including the outer key in the encoded value
Encoding `next=` together with its value can leave the receiving application without the key it expects. Encode the value, then attach it to the outer key.
Using Full URL for a nested URL
Full URL mode keeps `?` and `&` active. That is useful for a top-level readable URL but wrong when the complete URL must be data inside one outer parameter.
Treating raw plus as space without checking
Component rules preserve raw `+`; form rules interpret it as space. Confirm the receiver before choosing the profile or replacing plus signs.
Encoding an existing escape automatically
An existing `%2F` becomes `%252F` in another encode pass. Add that layer only when the surrounding protocol requires it.
Putting credentials or tokens in the URL
Encoding does not conceal data from history, logs, analytics, referrers, screenshots, or link recipients. Use non-URL secret transport where possible.
FAQ
Should I encode the key, the value, or the whole URL?
For this workflow, identify and encode one value. Keep the outer key and query separators active. Encode a whole URL as a component only when that URL itself is the value.
Should a space become `%20` or `+`?
RFC 3986 Component produces `%20`. Form value produces `+`. Use the convention the receiver documents rather than replacing one form globally.
How do I preserve a literal plus sign?
Component encoding converts a literal `+` to `%2B`. Form value also serializes a literal plus as `%2B`, while raw `+` in form decode input means space.
Why did `%20` become `%2520`?
The percent sign was encoded in another pass. Determine which layer owns the value before deciding whether that second layer is required.
Can I verify the result without sending a request?
Parse the rebuilt URL and decode the identified value once to compare it with the raw source. Final behavior still needs an authorized receiver test because frameworks apply different query conventions.
Does encoding make a redirect safe?
No. It preserves transport boundaries only. The application must separately validate allowed schemes, hosts, paths, signatures, and authorization.