Short answer
- Use URL encoding for URL components and query values.
- Use HTML entities when text must be shown inside HTML without being interpreted as markup.
- Use Base64 when plain text or bytes need a reversible text-safe representation for a system that expects Base64.
Quick comparison
| Method | Common output | Use it for | Do not use it for | Tool |
|---|---|---|---|---|
| URL encoding | %20, %3D, %26 | URL paths, query values, and reserved URL characters | Escaping HTML markup or hiding secrets | URL Encoder / Decoder |
| HTML entities | &, <, " | Displaying special characters inside HTML text | Sanitizing arbitrary HTML or encoding URLs | HTML Entity Encoder / Decoder |
| Base64 | SGVsbG8= | Text-safe representations for systems that expect Base64 | Encryption, access control, or URL escaping | Base64 Encoder / Decoder |
URL encoding
URL encoding, also called percent-encoding, turns characters that have special meaning in a URL into percent-prefixed values.
A space is commonly encoded as %20 inside a URL component. In some form-style query contexts, spaces may appear as +.
HTML entities
HTML entities represent characters such as ampersands, quotes, and angle brackets so they can be displayed as text in HTML.
Entity encoding is not a full HTML sanitizer. It helps represent characters, but it does not review or secure arbitrary markup.
Base64
Base64 converts text or bytes into a reversible text representation. It is useful when a system expects Base64 text.
Base64 is not encryption. Anyone with the encoded value can decode it if they know it is Base64.
Common mistakes
- Using Base64 to hide secrets.
- Using HTML entities inside URLs.
- Encoding an entire URL when only a query value should be encoded.
FAQ
What is the difference between URL encoding and HTML encoding?
URL encoding prepares text for URL components. HTML entity encoding prepares characters to display as text inside HTML.
Should spaces be encoded as %20 or +?
%20 is the common percent-encoded form for a space in URL components. Some form-style query encodings use + for spaces.
Is Base64 encryption?
No. Base64 is reversible encoding, not encryption or access control.
Can HTML entities prevent XSS?
HTML entity encoding can help display characters as text, but it is not a complete sanitizer or security review.