CARBIDEWEB

HomeBlog

Base64 decode, URL encode & HTML entities explained

EditorsPublished July 2, 20267 min read

Base64 decode turns a string like SGVsbG8= back into readable text; URL encoding swaps unsafe characters for %20-style codes so links work; HTML entities escape < > & so browsers show them instead of parsing them. None of the three is encryption — they are all reversible encodings. Carbide gives you a tool for each, and every one runs entirely in your browser.

That matters because the strings you paste are often not random — an access token, a signed URL, a snippet of source. Here is what Base64, percent-encoding and HTML entities actually do, how to convert both ways, and where each one trips people up.

What Base64 is — encoding, not encryption

Base64 rewrites any data — text, an image, a token — using just 64 safe characters (A–Z, a–z, 0–9, + and /) so it can travel through channels that only expect plain text, like email headers, JSON fields or data URLs. Paste a string into the Base64 encoder and decoder and it converts both ways instantly: text to Base64, or a Base64 string back to text.

The single most important thing to understand: Base64 is not encryption and offers no security. Anyone can decode it in one step — there is no key. So a password or API secret "hidden" in Base64 is effectively in plain sight. Use Base64 to safely transport data, and reach for the hash generator or real encryption when you actually need to protect something.

Base64 EncoderEncode / decodeTry the tool

Why your Base64 string ends in == or =

Base64 works in groups of three bytes, turning every three bytes into four characters. When your input length is not a clean multiple of three, the last group is short, and Base64 pads it with one or two = signs to keep that four-character block complete. One byte left over gives you ==, two bytes left over give you a single =, and an exact multiple of three gives you no padding at all.

That is all the padding means — it is structural, not a checksum or a signature. If a string won't decode, a common cause is missing or stripped padding: some systems drop the = to make Base64 URL-safe. Paste it into the Base64 tool as-is first; if it fails, adding back the = signs so the length is a multiple of four usually fixes it.

Percent-encoding: why URLs show %20 and how to fix it

URLs can only safely carry a limited set of characters. Spaces, and symbols like ?, &, #, = and / have special meaning, so when they appear in real content they are percent-encoded — replaced by a % followed by the character's byte value. A space becomes %20, so "hello world" turns into hello%20world in a link.

The URL encoder and decoder handles both directions: it encodes a value so you can drop it safely into a query string, or decodes a scary-looking link back into readable text. It correctly treats a whole URL differently from a single component — many tools get this wrong and mangle the ? or & that hold your link together.

URL Encoder / DecoderPercent-encode any stringTry the tool

Decode Arabic %D8… links back to readable text

Share an Arabic link and it often arrives as a wall of %D8%A7%D9%84… — every Arabic letter is multiple bytes, and each byte becomes its own percent code. It looks broken, but it is just UTF-8 percent-encoding, and it is fully reversible. Paste the encoded link into the URL decoder and it turns those %D8-style sequences back into the original Arabic words.

This is one of the most searched fixes in Arabic tech, because most decoders assume Latin text and return more gibberish. Going the other way, if you are building a link with Arabic in it, encode the Arabic part first so it survives being pasted into chats and emails. The conversion happens on your device — the link you paste is never sent anywhere.

encodeURI vs encodeURIComponent — which to use

These two JavaScript functions confuse almost everyone, and picking the wrong one quietly breaks links. encodeURI is for a whole URL: it leaves the structural characters (: / ? & = #) alone so the address still works. encodeURIComponent is for a single piece — one query value, one path segment — and it encodes those same structural characters too, because inside a value they are just data.

The rule of thumb: encode the whole thing with encodeURI, but encode each parameter value with encodeURIComponent before you stitch it into the query string. If you are not writing code, the URL encoder offers both modes so you can pick "full URL" or "single component" and get the right result without memorizing the difference. Test a value both ways and compare.

Escape HTML: named vs numeric entities

When you want a page to display < > & rather than treat them as code, you escape them as HTML entities. The HTML entity encoder converts those characters to safe entities — < becomes &lt;, > becomes &gt;, and & becomes &amp; — and decodes them back again. This is what stops a stray < from swallowing the rest of your paragraph, or an & from breaking a link.

You will see two styles: named entities like &amp; and &copy; (readable), and numeric entities like &#38; and &#169; (work for any character, including emoji and every Arabic letter). Both render identically; named ones are friendlier, numeric ones are universal. Escape any text you are dropping into HTML, a template or a code sample — and if you need to show code snippets beautifully instead, try Code to image.

HTML Entity EncoderEscape and unescape HTMLTry the tool

Frequently asked questions

Is Base64 secure or encrypted?

No. Base64 is an encoding, not encryption — anyone can decode it instantly with no key using the Base64 tool. Never use it to hide passwords or secrets; use hashing or real encryption for that.

Why does my Base64 string end in == ?

The = signs are padding that keep Base64's four-character blocks complete when your input length isn't a multiple of three. One leftover byte adds ==, two leftover bytes add a single =, and an exact multiple adds none.

How do I decode an Arabic URL full of %D8?

Paste it into the URL decoder. Those %D8-style codes are UTF-8 percent-encoding of Arabic letters and fully reversible — the tool turns them back into readable Arabic right in your browser.

What's the difference between %20 and + for a space?

Both can mean a space: %20 is the standard percent-encoding that works anywhere in a URL, while + is a shortcut that only means space inside a query string. When in doubt, use %20 — the URL encoder produces it.

Are these encoders free and is my text uploaded?

They are free with no sign-up and no limits. Base64, URL and HTML entity encoding all run entirely in your browser, so the text you paste is never uploaded — it stays on your device.

Base64, percent-encoding and HTML entities are three everyday encodings that look cryptic but are all reversible and none of them are security. Keep the Base64 encoder handy for tokens and data URLs, the URL encoder for links (Arabic ones included), and the HTML entity encoder for anything you paste into a page — all free, and all in your browser.