There are 2 different types of restrictions, and both are always in effect.
(1) The only characters allowed in a URL at all are
uppercase A-Z
lowercase a-z
numbers 0-9
and the symbols - . _ ~ : / ? # [ ] @ ! $ & ' ( ) * + , ; =
All other characters must be URL-encoded (a.k.a. percent-encoded). For example, double-quote " must be %22. Curly apostrophe ’ must be %E2%80%99.
(2) Even the symbols in (1) that are generally allowed are must be URL-encoded when they would otherwise have a special meaning in a URL. For example, plain ampersand & is allowed in general. But it also is used to separate query parameters. So if a query param (name or value) includes &, it must be encoded as %26.
If it seems like I'm trying to scare you... I am! It's exceedingly rare to be able to guarantee that user-supplied data will not need to be encoded.
Even a seeming exception like Phone cannot be trusted in reality, unless it's already been sanitized to not contain a + sign. Email addresses cannot be trusted because they may contain several characters, however basic, that need to be encoded.
And that's before we even get to non-ASCII characters. Unless you're dealing with an audience that can be guaranteed to not have any accented Latin-1 characters in their first or last names, let alone any non-Latin-1 characters — and can't think of any country where that's true — you can't just send the native value in a URL.
You can see why it's so rare to actually be able to guarantee that you won't need escaping.
.png)
Adchoices