Is a URL allowed to contain a space?

Asked 31/1, 2009 at 1:2 Answered 24/6, 2012 at 8:51

156

Is a URI (specifically an HTTP URL) allowed to contain one or more space characters? If a URL must be encoded, is + just a commonly followed convention, or a legitimate alternative?

In particular, can someone point to an RFC that indicates that a URL with a space must be encoded?

Motivation for question: While beta-testing a web site, I noted that some URLs were constructed with spaces in them. Firefox seemed to do the right thing, which surprised me! But I wanted to be able to point the developers to an RFC so that they would feel the need to fix those URLs.

Duct answered 31/1, 2009 at 1:2 Comment(2)

superset that came later: what are all the invalid chars: #1548399 – Paquito 29/8, 2014 at 13:54

Related: In a URL, should spaces be encoded using %20 or +? – Nutritionist 17/9, 2014 at 12:42

121

As per RFC 1738:

Unsafe:

Characters can be unsafe for a number of reasons. The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs. The characters "<" and ">" are unsafe because they are used as the delimiters around URLs in free text; the quote mark (""") is used to delimit URLs in some systems. The character "#" is unsafe and should always be encoded because it is used in World Wide Web and in other systems to delimit a URL from a fragment/anchor identifier that might follow it. The character "%" is unsafe because it is used for encodings of other characters. Other characters are unsafe because gateways and other transport agents are known to sometimes modify such characters. These characters are "{", "}", "|", "\", "^", "~", "[", "]", and "`".

All unsafe characters must always be encoded within a URL. For example, the character "#" must be encoded within URLs even in systems that do not normally deal with fragment or anchor identifiers, so that if the URL is copied into another system that does use them, it will not be necessary to change the URL encoding.

Individuality answered 31/1, 2009 at 1:32 Comment(2)

1738 has been superceeded by 2396. ietf.org/rfc/rfc2396.txt That is the current Uri specification. It does not matter in this case though. – Mainz 31/1, 2009 at 19:14

And 2396 has been superseded by 3986. Many people get this wrong, as RFCs are immutable, and thus do not tell the reader that they have been obsoleted. Hint: use tools.ietf.org/html/rfcnnnn, such as tools.ietf.org/html/rfc2396 instead, it displays the missing metadata on top. – Taneshatang 1/2, 2009 at 14:41

Shorter answer: no, you must encode a space; it is correct to encode a space as +, but only in the query string; in the path you must use %20.

Layman answered 31/1, 2009 at 1:41 Comment(4)

Hi, I am confused too, sometime I saw the book use "+" but sometime "%20", can you show some example for this? When user submit the form, how the form encode the space ? with which character? – Daedal 7/11, 2012 at 6:29

See this answer for additional detail. – Nutritionist 17/9, 2014 at 12:45

what about fragment/hash part? How spaces should be encoded there? – Educt 19/12, 2014 at 13:29

@gumkins: the fragment (# and after) is not sent to the server. In practice, you can use %20 or + anywhere to encode a space. – Swag 12/9, 2015 at 20:39

Why does it have to be encoded? A request looks like this:

GET /url HTTP/1.1
(Ignoring headers)

There are 3 fields separated by a white space. If you put a space in your url:

GET /url end_url HTTP/1.1

You know have 4 fields, the HTTP server will tell you it is an invalid request.

GET /url%20end_url HTTP/1.1

3 fields => valid

Note: in the query string (after ?), a space is usually encoded as a +

GET /url?var=foo+bar HTTP/1.1

rather than

GET /url?var=foo%20bar HTTP/1.1

Swag answered 31/1, 2009 at 1:44 Comment(4)

What if var really was "foo+bar" and not "foo bar"? – Dramaturge 11/9, 2015 at 15:40

I would argue that's a requirement of the transport layer, not of the URI specification itself. GET is clearly a property of the http: specification, not the URL specification. Similarly you could argue quotes in urls "must" be encoded because otherwise web pages would break. But that's a property of HTML formatting limitations, ( which there are other strategies against ), not a property of the URL specification. – Curson 23/1, 2016 at 3:0

ietf.org/rfc/rfc1738.txt - Unsafe characters including space) should be encoded – Swag 25/1, 2016 at 5:23

@KentFredric This is more likely the presentation layer, not the transport layer. As Julien (almost) writes, the original URI spec (RFC 1630) contains this restriction, so it's a part of the URI specification itself regardless of your personal feelings. Since the URI spec was written after the HTTP drafts, it's very possible that URIs were designed with HTTP in mind, including the prohibition against the use of spaces, but it doesn't really matter, does it? The truth is that the spec is what the spec is. – Mulvaney 27/4, 2018 at 21:31

URLs are defined in RFC 3986, though other RFCs are relevant as well but RFC 1738 is obsolete.

They may not have spaces in them, along with many other characters. Since those forbidden characters often need to be represented somehow, there is a scheme for encoding them into a URL by translating them to their ASCII hexadecimal equivalent with a "%" prefix.

Most programming languages/platforms provide functions for encoding and decoding URLs, though they may not properly adhere to the RFC standards. For example, I know that PHP does not.

Quadriga answered 31/1, 2009 at 1:25 Comment(0)

URL can have an Space Character in them and they will be displayed as %20 in most of the browsers, but browser encoding rules change quite often and we cannot depend on how a browser will display the URL.

So Instead you can replace the Space Character in the URL with any character that you think shall make the URL More readable and ' Pretty ' ;) ..... O so general characters that are preferred are "-","_","+" .... but these aren't the compulsions so u can use any of the character that is not supposed to be in the URL Already.

Please avoid the %,&,},{,],[,/,>,< as the URL Space Character Replacement as they can pull up an error on certain browsers and Platforms.

As you can see the Stak overflow itself uses the '-' character as Space(%20) replacement.

Have an Happy questioning.

Smalls answered 24/6, 2012 at 8:51 Comment(0)

Yes, the space is usually encoded to "%20" though. Any parameters that pass to a URL should be encoded, simply for safety reasons.

Gissing answered 31/1, 2009 at 1:4 Comment(0)

Urls should not have spaces in them. If you need to address one that does, use its encoded value of %20

Truthfunction answered 31/1, 2009 at 1:7 Comment(0)

Can someone point to an RFC indicating that a URL with a space must be encoded?

URIs, and thus URLs, are defined in RFC 3986.

If you look at the grammar defined over there you will eventually note that a space character never can be part of a syntactically legal URL, thus the term "URL with a space" is a contradiction in itself.

Taneshatang answered 31/1, 2009 at 19:11 Comment(0)

To answer your question. I would say it's fairly common for applications to replace spaces in values that will be used in URLs. The reason for this is ussually to avoid the more difficult to read percent (URI) encoding that occurs.

Check out this wikipedia article about Percent-encoding.

Sherrylsherurd answered 31/1, 2009 at 1:10 Comment(0)

Firefox 3 will display %20s in URLs as spaces in the address bar.

Sentient answered 31/1, 2009 at 1:8 Comment(1)

This is not a proper answer to pretty straightforward question: "Is a URL allowed to contain a space?". Rather a comment. – Against 22/7, 2019 at 22:42

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags