URL Parser
Parse a URL or query string locally into components, host-label evidence, query rows, duplicate and encoding notes, masked sensitive values, a rebuilt review URL, charts, and exports.| Component | Value | Detail | Copy |
|---|---|---|---|
| {{ row.component }} | {{ row.value }} | {{ row.detail }} |
| Index | Key | Value | Occurrence | Form | State | Copy |
|---|---|---|---|---|---|---|
| {{ row.index }} | {{ row.key }} | {{ row.value }} | {{ row.occurrence }} | {{ row.form }} | {{ row.state }} |
| Signal | Status | Detail | Copy |
|---|---|---|---|
| {{ row.signal }} | {{ row.status }} | {{ row.detail }} |
{{ reviewUrlText }}
A URL is a structured address, not just a single string. The scheme tells software how to interpret the address, the host names the destination, the path points to a resource, the query carries filters or tracking values, and the fragment identifies a client-side location inside the result. Reading those parts separately prevents common support and debugging mistakes, especially when a link contains duplicate query keys, hidden credentials, or a long tracking tail.
URL parsing is useful when a redirect looks wrong, an API request drops a filter, a marketing link carries too many tracking parameters, or a support ticket needs a safe version of a link. The important distinction is that parsing explains the address that was pasted. It does not prove the page exists, that the destination is safe, or that a server will treat every query key exactly the way a browser displays it.
Small syntax choices matter. A missing scheme can turn a host into plain text, repeated keys can change which filter a web application applies, and the fragment after # is handled by the user agent rather than by ordinary server request processing. Separating those choices before sharing or testing a link makes review safer and easier to repeat.
How to Use This Tool:
The parser updates as you type or change handling options, so the safest workflow is to start with the pasted address, confirm the parsing mode, then use the ledgers and rebuilt text for review.
- Paste one full URL, host-like value, or query string into URL or query string. If several lines are pasted, the parser evaluates the first non-empty line and reports that extra lines were ignored.
- Choose Input handling. Use lenient handling for host-only text that should be treated as
https://, strict handling when a scheme is required, and query-only handling for strings such as?status=paid&tag=a. - Set Query values to decoded for everyday reading, raw for percent-encoding checks, or both when you need to compare the readable value with the original encoded bytes.
- Leave Sensitive values set to mask when preparing a link for a ticket, chat, or screenshot. Switch to reveal only when you need exact local evidence and can control where copied text or downloads go.
- Open Advanced when duplicate keys or review formatting matter. The duplicate-key policy changes only the rebuilt review URL, while the query ledger still records each parsed occurrence.
- Read the URL Component Ledger, Query Parameter Ledger, and Inspection Notes before copying Rebuilt URL Text. If an input error appears, fix the scheme or switch to query-only handling before trusting the results.
Interpreting Results:
Start with the host, scheme, origin, and host-label row. Those fields answer whether the link points at the expected destination and whether an explicit port changes the same-origin value; the label split is simple evidence, not a public-suffix or ownership lookup. Then check the query ledger for duplicates, masked values, blank values, decode issues, and dropped rows. A clean parse means the address can be separated into parts; it does not mean the link is safe, reachable, or authorized.
The rebuilt review URL is a review artifact, not always a byte-for-byte replacement for the pasted URL. Masked credentials and token-like query values are intentionally changed, duplicate handling can remove rows, sorting can reorder keys, and fragment removal affects only the rebuilt text. When exact request reproduction matters, compare the component ledger and query ledger against the original pasted text before sharing the rebuilt value.
| Signal | What To Check | Practical Meaning |
|---|---|---|
| Sensitive values | Credentials and token-like query keys | Masked output is safer for sharing; revealed output can expose secrets through clipboard, files, or screenshots. |
| Duplicate keys | Rows with the same decoded key | Different servers may read first, last, or all values, so confirm the intended duplicate policy before using the rebuilt URL. |
| Fragment handling | The value after # |
Fragments can matter to browser navigation, but they are separated from normal server-side request processing. |
| Length check | Normalized parse target over 2000 characters | A long URL may still be valid, but it deserves review before being pasted into systems with length limits. |
Technical Details:
Generic URL syntax separates a reference into scheme, authority, path, query, and fragment. The authority can itself contain user information, a host, and a port. Browser-oriented URL parsing also serializes and normalizes certain pieces, so the value shown after parsing can differ from the exact punctuation in the pasted text while still representing the same address.
Query strings are commonly encoded as form-style key-value pairs. A plus sign is often read as a space in that context, percent-encoded octets are decoded when possible, and keys may appear more than once. Empty values and valueless keys are not always treated differently by web APIs, so the safest debugging record keeps the original order, the decoded form, and the duplicate count visible.
Transformation Core
The parser follows a deterministic transformation from pasted text to review output.
| Stage | Rule | Result To Verify |
|---|---|---|
| Input selection | The first non-empty line is parsed; later non-empty lines are ignored and reported. | The summary and inspection notes should refer to the intended URL. |
| Mode handling | Strict mode requires a scheme, lenient mode adds https:// to host-like input, and query-only mode reads only parameters. |
The URL or query string badge should match the pasted input. |
| Component split | Scheme, credentials, host, port, origin, path, search, fragment, and review URL are separated when a full URL is available. | The URL Component Ledger should expose the expected destination and path. |
| Query ledger | Pairs are split on &, keys and values are decoded for display, and raw encoded values remain available when requested. |
The Query Parameter Ledger should show the expected row count and duplicate occurrences. |
| Review output | Sensitivity masking, duplicate policy, sorting, and fragment removal are applied to the rebuilt review URL only. | Rebuilt URL Text should be checked before copying because it may intentionally differ from the pasted URL. |
Component Map
| Component | Meaning | Common Review Use |
|---|---|---|
| Scheme | The protocol name before the colon, such as https. |
Confirm that security-sensitive links use the expected scheme. |
| Username and password | Credential fields before the host when user information is embedded in the URL. | Remove or mask credentials before sharing a link. |
| Hostname, host, and port | The destination name, with host including an explicit port when present. | Check redirects, environment mixups, and same-origin assumptions. |
| Pathname | The hierarchical resource path after the host and before the query. | Verify that the request targets the expected resource. |
| Search | The query string beginning with ?. |
Review filters, tracking keys, pagination, and duplicate parameters. |
| Fragment | The client-side reference beginning with #. |
Decide whether the fragment belongs in a shareable review URL. |
Malformed percent encodings can make exact decoding uncertain. When decoding fails for a query key or value, the parser keeps the original text for that piece instead of dropping the whole row. This is useful for debugging broken links because the row remains visible, but it also means a readable value may still need comparison with the raw encoded evidence.
Privacy Notes:
Parsing happens in the browser and the parser does not fetch the pasted destination. That reduces exposure during ordinary inspection, but copied text, downloaded reports, browser history, screenshots, and revealed values are still under your control. Keep masking on for real credentials, session identifiers, signatures, password reset links, and analytics identifiers unless there is a clear reason to inspect the exact value locally.
Worked Examples:
API filter with duplicate tags. A URL such as https://api.example.test/orders?status=paid&tag=a&tag=b#summary produces a host in the summary, component rows for scheme, host, path, search, and fragment, and two kept rows for tag in the Query Parameter Ledger. The duplicate-key note should be reviewed before using a rebuilt URL, because preserving both tags is different from keeping only the first or last tag.
Host-only support note. Pasting example.com/pricing?plan=team in lenient handling treats it as an HTTPS URL and exposes example.com as the hostname. The same input in strict handling produces an input error until a scheme is supplied. Use strict handling when the missing scheme itself is the problem you are investigating.
Token-heavy tracking link. A pricing link with utm_source, gclid, and session keys keeps the rows visible while masking token-like values by default. The Inspection Notes should show sensitive values as masked, and Rebuilt URL Text should be treated as a review copy rather than a request-equivalent URL because masked values have been substituted.
FAQ:
Does a valid parse mean the link is safe?
No. A valid parse only means the pasted text can be split into URL parts. Check the hostname, scheme, credentials, query rows, and inspection notes before opening or sharing the link.
Why did strict mode reject my input?
Strict handling requires an absolute URL with a scheme such as https://. Add the scheme, switch to lenient handling for host-like text, or use query-only handling for parameter strings.
Why are some query values masked?
The sensitive-value setting masks credentials and query keys that look like tokens, secrets, passwords, signatures, sessions, or common tracking identifiers. You can reveal values locally, but copied or downloaded output may then contain secrets.
Can duplicate query keys change a request?
Yes. Some systems read the first value, some read the last value, and some accept all occurrences. The query ledger shows every parsed row, while the duplicate-key policy affects the rebuilt review URL.
Why is the fragment shown if servers do not normally receive it?
Fragments can affect browser navigation and single-page app state, so they are useful evidence. The parser still lets you drop the fragment from Rebuilt URL Text when reviewing a server-side request URL.
Glossary:
- Scheme
- The protocol label before the colon, such as
https. - Authority
- The part after
//that can contain credentials, hostname, and port. - Origin
- The scheme, host, and port value used for same-origin comparisons.
- Query string
- The
?portion that carries key-value parameters such as filters, pagination, or tracking values. - Fragment
- The
#portion handled by the user agent as a secondary reference. - Percent encoding
- A way to represent reserved or non-ASCII characters in URL text using percent-prefixed byte values.
References:
- URL Standard, WHATWG, Last Updated 14 April 2026.
- RFC 3986: Uniform Resource Identifier (URI): Generic Syntax, Internet Engineering Task Force, January 2005.
- URL, MDN Web Docs, Apr 27, 2025.
- URLSearchParams, MDN Web Docs, Feb 26, 2025.
- HTTP Query string parameters do not contain sensitive data, OWASP Annotated Application Security Verification Standard.