How To Encode Python Code

Base64 Encoding in Python

Base64 encodes arbitrary binary data as a string of printable ASCII characters, making it safe to transmit through text-only channels such as JSON payloads, email, or data URIs. The base64module is part of Python's standard library and requires no installation.

base64.b64encode() and b64decode()

The input to base64.b64encode() must be bytes, not a string. To encode a plain string, first convert it with .encode('utf-8').

import base64

# Encode bytes directly
base64.b64encode(b'Hello World')
# b'SGVsbG8gV29ybGQ='

# Encode a string — convert to bytes first
base64.b64encode('Hello'.encode('utf-8'))
# b'SGVsbG8='

# Decode back to bytes
base64.b64decode(b'SGVsbG8gV29ybGQ=')
# b'Hello World'

# Decode to a string
base64.b64decode(b'SGVsbG8gV29ybGQ=').decode('utf-8')
# 'Hello World'

URL-safe Base64 variant

Standard Base64 uses + and /, which are reserved characters in URLs. The URL-safe variant replaces them with - and _, making the output safe for use in query strings and URL path segments — such as the header and payload segments of a JWT.

import base64

# URL-safe encoding — uses - and _ instead of + and /
base64.urlsafe_b64encode(b'Hello World')
# b'SGVsbG8gV29ybGQ='  (same here, but important when output contains + or /)

# URL-safe decoding
base64.urlsafe_b64decode(b'SGVsbG8gV29ybGQ=')

Try encoding and decoding Base64 strings interactively with the Base64 Encoder / Decoder tool.

URL Encoding in Python

URL encoding (percent-encoding) converts characters that are not allowed in URLs into a safe %XXhex representation. Python's urllib.parse module provides three functions that cover every common use case.

quote() and quote_plus()

from urllib.parse import quote, quote_plus, urlencode

# quote() — follows RFC 3986, encodes spaces as %20
quote('hello world')
# 'hello%20world'

# quote_plus() — encodes spaces as + (for query strings)
quote_plus('hello world')
# 'hello+world'

# safe parameter — characters NOT to encode
quote('/path/to/file', safe='/')
# '/path/to/file'  (slashes preserved)

quote('hello world & goodbye', safe='')
# 'hello%20world%20%26%20goodbye'

Use quote() for URL path segments — a + in a path means a literal plus sign, not a space. Use quote_plus() for query parameter values, where a server receiving + in a query string will correctly decode it as a space.

urlencode() — build a full query string from a dict

from urllib.parse import urlencode

params = {'name': 'John Doe', 'city': 'New York'}
urlencode(params)
# 'name=John+Doe&city=New+York'

# Append to a URL
base_url = 'https://api.example.com/search'
full_url = base_url + '?' + urlencode(params)
# 'https://api.example.com/search?name=John+Doe&city=New+York'

For a deeper look at percent-encoding rules and reserved characters, read the URL encoding guide.

HTML Encoding in Python

Outputting untrusted user data directly into HTML creates cross-site scripting (XSS) vulnerabilities. Python's html module provides two functions for converting characters with special meaning in HTML into their safe entity equivalents — and back again.

html.escape() and html.unescape()

import html

# Escape dangerous characters for safe HTML output
html.escape('<script>alert("xss")</script>')
# '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'

# quote=True (default) — also encodes " and '
html.escape('<p class="note">It's here</p>', quote=True)
# '&lt;p class=&quot;note&quot;&gt;It&#x27;s here&lt;/p&gt;'

# Unescape entities back to characters
html.unescape('&lt;p&gt;')
# '<p>'

html.unescape('&amp;copy; 2026')
# '© 2026'

Most Python web frameworks — Django, Jinja2, Flask with Jinja2 — auto-escape template variables by default. But when you build HTML strings manually, always call html.escape() on any user-supplied value before inserting it into HTML.

For more on HTML entity encoding and XSS prevention, see the HTML encoding guide and the HTML Encoder / Decoder tool.

JSON Encoding in Python

JSON is the standard format for REST APIs and configuration files. Python's json module serialises Python objects to JSON strings and deserialises JSON strings back to Python objects, with no external dependencies required.

json.dumps() and json.loads()

import json

data = {'name': 'Alice', 'age': 30}

# Serialise to a JSON string
json.dumps(data)
# '{"name": "Alice", "age": 30}'

# Keep non-ASCII Unicode characters readable
json.dumps({'city': 'Héloïse'}, ensure_ascii=False)
# '{"city": "Héloïse"}'

# Pretty-print for debugging or log files
json.dumps(data, indent=2)
# '{\n  "name": "Alice",\n  "age": 30\n}'

# Deserialise a JSON string back to a Python dict
json_string = '{"name": "Alice", "age": 30}'
json.loads(json_string)
# {'name': 'Alice', 'age': 30}

By default, json.dumps() converts non-ASCII characters to \uXXXX escape sequences. Pass ensure_ascii=False to keep them as-is, which produces smaller and more readable output when your data contains accented letters, CJK characters, or emoji.

String and Text Encoding (str → bytes)

Python 3's str type holds Unicode text. When you need raw bytes — to write to a file, send over a network socket, or pass to a function that expects bytes — you must encode the string explicitly.

str.encode() and bytes.decode()

# Encode a plain ASCII string
'Hello'.encode('utf-8')
# b'Hello'

# Encode a string with a non-ASCII character
'Héllo'.encode('utf-8')
# b'H\xc3\xa9llo'

# Decode bytes back to str
b'H\xc3\xa9llo'.decode('utf-8')
# 'Héllo'

# Other common encodings
'Hello'.encode('utf-16')   # b'\xff\xfeH\x00e\x00l\x00l\x00o\x00'
'Hello'.encode('latin-1')  # b'Hello'
'Hello'.encode('ascii')    # b'Hello'

UTF-8 is the right default for almost everything: it is backward-compatible with ASCII, handles every Unicode code point, and is the standard encoding for HTML, JSON, and most network protocols. Use latin-1 only when interoperating with legacy systems, and ascii only when you are certain the input contains no characters outside the ASCII range (0–127) — otherwise it will raise a UnicodeEncodeError.

Hashing in Python — One-Way Only

import hashlib

# SHA-256 hex digest — input must be bytes
hashlib.sha256(b'hello').hexdigest()
# '2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824'

# Hash a string
hashlib.sha256('hello'.encode('utf-8')).hexdigest()
# '2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824'

# List available algorithms
hashlib.algorithms_guaranteed
# {'sha256', 'sha512', 'sha3_256', 'blake2b', ...}

Use hashlib for integrity verification and message authentication. For password storage, use a dedicated slow-hashing library such as bcrypt or argon2-cffi — fast hashes like SHA-256 are not appropriate for passwords because they are trivially brute-forced by modern hardware.

Choosing the Right Python Encoding Function

The right choice depends entirely on the destination of the encoded output. Use this table as a quick reference.

Frequently Asked Questions

What is the difference between encoding and decoding in Python?

In Python 3, encoding converts a str (Unicode text) into bytes using a specific encoding scheme such as UTF-8. Decoding is the reverse — it converts bytes back into a str. For example, 'Hello'.encode('utf-8') produces b'Hello', and b'Hello'.decode('utf-8') returns 'Hello'.

How do I Base64-encode a string in Python?

Import base64 and pass bytes to base64.b64encode(). Strings must be converted to bytes first: base64.b64encode('Hello'.encode('utf-8')) returns b'SGVsbG8='. Call .decode('utf-8') on the result if you need a plain string. For URLs, use base64.urlsafe_b64encode() instead.

What is the difference between urllib.parse.quote() and quote_plus() in Python?

Both functions percent-encode special characters, but they handle spaces differently. quote() follows RFC 3986 and encodes spaces as %20, making it correct for URL path segments. quote_plus() encodes spaces as + and is designed for HTML form data sent as a query string.

How do I prevent XSS when outputting user data in Python HTML templates?

Use html.escape(user_input). It converts the five HTML-special characters (&, <, >, ", ') into safe HTML entities. Most Python web frameworks auto-escape template variables, but always call html.escape() when building HTML strings manually.

Is hashing the same as encoding in Python?

No. Encoding is always reversible — you can always decode back to the original value. Hashing with hashlib is a one-way transformation: you cannot recover the original input from the hash output. Use hashing for integrity verification, not for data storage or transmission where you need the original value back. Never use base64.b64encode()to "protect" sensitive data or passwords.

Related Tools and Guides