URL Encode Question Mark (?)

The question mark (?) is one of the most structurally significant characters in a URL. It serves as the delimiter between the path and the query string. When a literal question mark needs to appear inside a parameter value or path segment, it must be encoded as %3F.

Percent-encoded form: %3F represents the question mark (ASCII code 63, hexadecimal 0x3F). Encoding it prevents the URL parser from interpreting it as the start of a new query string.

URL structure recap: In https://example.com/path?key=value, the ? signals the beginning of query parameters. Only the first ? in a URL has this special meaning; subsequent unencoded question marks in the query string are technically valid but can cause confusion and inconsistent parsing across implementations.

JavaScript behavior:

encodeURIComponent("What is this?") // "What%20is%20this%3F"
encodeURI("What is this?")          // "What%20is%20this?" (does NOT encode ?)

This is another case where encodeURI() and encodeURIComponent() differ significantly. Since encodeURI() is designed for complete URIs, it preserves ? as a structural element. Use encodeURIComponent() when encoding values that might contain question marks.

Common scenarios where encoding is needed:

• Passing natural language questions as search queries: /search?q=How%20do%20I%20encode%3F
• Embedding one URL inside another as a parameter: /redirect?url=https%3A%2F%2Fexample.com%2Fpage%3Fid%3D5
• File names or resource identifiers that contain question marks
• Building URLs from user-generated content where ? may appear unexpectedly

Pitfall: When constructing redirect URLs, developers often pass a destination URL as a query parameter. If the destination URL contains its own query string (with ? and &), the entire destination must be encoded as a single value. Failure to do so causes the outer URL parser to absorb the inner URL's parameters, leading to broken redirects and potential open redirect vulnerabilities.