URL Encode vs HTML Encode: Key Differences

Q: Can I use &amp; in a URL?

No. &amp; is HTML encoding — it's for HTML content. In a URL, an ampersand must be either: (1) a literal & as a query parameter separator, or (2) %26 if it appears inside a parameter value. Using &amp; in a URL produces a broken URL that doesn't work as expected.

Q: Do I need to encode URLs in HTML href attributes?

URL-encode the URL itself (for special characters in query values), then if the URL contains an & as a parameter separator, also HTML-encode it as &amp; when placing it in an href attribute. Modern HTML5 parsers are lenient, but using &amp; in href is technically correct and avoids validation warnings.

Q: Why does my encoded URL show &amp; instead of &?

The URL was HTML-encoded when it should have been URL-encoded. The & in your URL was converted to &amp; (HTML entity format) instead of being left as & (for structural separators) or %26 (for values). Use URL encoding for URL components, HTML encoding only for text displayed in HTML.

Q: Is HTML encoding enough to prevent XSS attacks?

HTML encoding user-supplied content before outputting it in HTML is the primary defense against reflected and stored XSS. It's not sufficient alone — you also need Content Security Policy headers, proper DOM manipulation practices (avoiding innerHTML with untrusted data), and context-aware encoding (different contexts need different encoding).

Both URL encoding and HTML encoding transform characters into an encoded representation — but they're different systems, used in different contexts, producing different output. Mixing them up causes broken links, garbled text, and security vulnerabilities. Here's the clear distinction and when each applies.

What Each One Is For

URL encoding (percent encoding) makes characters safe for transmission in URLs. It converts each unsafe byte to a %XX format where XX is the hexadecimal byte value.

HTML encoding (HTML entities) makes characters safe for rendering in HTML documents. It converts characters that have HTML-structural meaning into named or numeric entity representations (&, <, etc.).

The same character — like an ampersand (&) — encodes differently in each system:

URL encoding: %26
HTML encoding: &

Using one where the other belongs breaks things in ways that can be hard to debug.

Context Determines Which to Use

Use URL encoding when:

Building a URL or query string programmatically
Passing values in GET parameters
Embedding user input as part of a URL
Constructing API endpoint URLs with variable values

Use HTML encoding when:

Outputting user-generated text inside HTML content
Displaying special characters (©, &, <) in a web page
Preventing XSS — HTML-encode all untrusted content before inserting it into a page
Storing content in HTML attributes where special characters could break attribute parsing

Encoding the Same Characters: A Comparison

Here's how the most common characters encode in each system:

Space: URL → %20 | HTML → no encoding needed in content,   for non-breaking
Ampersand (&): URL → %26 | HTML → &
Less-than (<): URL → %3C | HTML → <
Greater-than (>): URL → %3E | HTML → >
Double quote ("): URL → %22 | HTML → "
Single quote ('): URL → %27 | HTML → '

Where Both Apply Simultaneously

HTML anchor tags combine both encoding systems in one element:

<a href="/search?q=text%20tools%20%26%20converters">Text tools & converters</a>

The href attribute value uses URL encoding (%20 for space, %26 for &)
The link text uses HTML encoding (& for &)

This is the correct way to construct a link. Using HTML encoding in the href (& instead of %26) produces an invalid URL. Using URL encoding in the link text (%26 instead of &) shows the percent-encoded text to users instead of the character.

Security: Why Getting This Wrong Has Consequences

Failing to HTML-encode untrusted content before outputting it in HTML is one of the most common causes of Cross-Site Scripting (XSS) vulnerabilities. If a user enters <script>alert('xss')</script> and your application outputs it without HTML encoding, that script executes in other users' browsers.

HTML encoding the output: <script>alert('xss')</script> — renders as visible text, not executable code. This is why every web framework and template engine has built-in automatic HTML escaping for template variables — it prevents this class of vulnerability at the framework level.

Try the Free Tool

HTML entity encoder and decoder. Also supports URL encoding for comparison.

Encode / Decode →

Frequently Asked Questions

What is the difference between URL encoding and HTML encoding?

URL encoding (percent encoding) makes characters safe for use in URLs by converting them to %XX format. HTML encoding converts characters to HTML entities (&, <) to make them safe for display in HTML. They use different output formats and apply in different contexts — URLs vs. HTML content.

Can I use & in a URL?

No. & is HTML encoding — it's for HTML content. In a URL, an ampersand must be either: (1) a literal & as a query parameter separator, or (2) %26 if it appears inside a parameter value. Using & in a URL produces a broken URL that doesn't work as expected.

Do I need to encode URLs in HTML href attributes?

URL-encode the URL itself (for special characters in query values), then if the URL contains an & as a parameter separator, also HTML-encode it as & when placing it in an href attribute. Modern HTML5 parsers are lenient, but using & in href is technically correct and avoids validation warnings.

Why does my encoded URL show & instead of &?

The URL was HTML-encoded when it should have been URL-encoded. The & in your URL was converted to & (HTML entity format) instead of being left as & (for structural separators) or %26 (for values). Use URL encoding for URL components, HTML encoding only for text displayed in HTML.

Is HTML encoding enough to prevent XSS attacks?