UTF-8 is a character encoding standard used for electronic communication. Defined by the Unicode Standard, the name is derived from Unicode Transformation Format – 8-bit.[1] Almost every webpage is stored in UTF-8.
UTF-8 is capable of encoding all 1,112,064[2] valid Unicode scalar values using a variable-width encoding of one to four one-byte (8-bit) code units. Code points with lower numerical values, which tend to occur more frequently, are encoded using fewer bytes. It was designed for backward compatibility with ASCII: the first 128 characters of Unicode, which correspond one-to-one with ASCII, are encoded using a single byte with the same binary value as ASCII, so that a UTF-8-encoded file using only those characters is identical to an ASCII file. Most software designed for any extended ASCII can read and write UTF-8 (including on Microsoft Windows) and this results in fewer internationalization issues than any alternative text encoding.[3][4]
UTF-8 is dominant for all countries/languages on the internet, is used in most standards, often the only allowed encoding, and is supported by all modern operating systems and programming languages.
The International Organization for Standardization (ISO) set out to compose a universal multi-byte character set in 1989. The draft ISO 10646 standard contained a non-required annex called UTF-1 that provided a byte stream encoding of its 32-bit code points. This encoding was not satisfactory on performance grounds, among other problems, and the biggest problem was probably that it did not have a clear separation between ASCII and non-ASCII: new UTF-1 tools would be backward compatible with ASCII-encoded text, but UTF-1-encoded text could confuse existing code expecting ASCII (or extended ASCII), because it could contain continuation bytes in the range 0x21–0x7E that meant something else in ASCII, e.g., 0x2F for /, the Unixpath directory separator.
In July 1992, the X/Open committee XoJIG was looking for a better encoding. Dave Prosser of Unix System Laboratories submitted a proposal for one that had faster implementation characteristics and introduced the improvement that 7-bit ASCII characters would only represent themselves; multi-byte sequences would only include bytes with the high bit set. The name File System Safe UCS Transformation Format (FSS-UTF)[5] and most of the text of this proposal were later preserved in the final specification.[6][7][8] In August 1992, this proposal was circulated by an IBM X/Open representative to interested parties. A modification by Ken Thompson of the Plan 9 operating system group at Bell Labs made it self-synchronizing, letting a reader start anywhere and immediately detect character boundaries, at the cost of being somewhat less bit-efficient than the previous proposal. It also abandoned the use of biases that prevented overlong encodings.[8][9] Thompson's design was outlined on September 2, 1992, on a placemat in a New Jersey diner with Rob Pike. In the following days, Pike and Thompson implemented it and updated Plan 9 to use it throughout,[10] and then communicated their success back to X/Open, which accepted it as the specification for FSS-UTF.[8]
In November 2003, UTF-8 was restricted by RFC3629 to match the constraints of the UTF-16 character encoding: explicitly prohibiting code points corresponding to the high and low surrogate characters removed more than 3% of the three-byte sequences, and ending at U+10FFFF removed more than 48% of the four-byte sequences and all five- and six-byte sequences.[13]
Description
UTF-8 encodes code points in one to four bytes, depending on the value of the code point. In the following table, the characters u to z are replaced by the bits of the code point, from the positions U+uvwxyz:
This is a prefix code and it is unnecessary to read past the last byte of a code point to decode it. Unlike many earlier multi-byte text encodings such as Shift-JIS, it is self-synchronizing so searches for short strings or characters are possible and that the start of a code point can be found from a random position by backing up at most 3 bytes. The values chosen for the lead bytes means sorting a list of UTF-8 strings puts them in the same order as sorting UTF-32 strings.
Overlong encodings
Using a row in the above table to encode a code point less than "First code point" (thus using more bytes than necessary) is termed an overlong encoding. These are a security problem because they allow the same code point to be encoded in multiple ways. Overlong encodings (of ../ for example) have been used to bypass security validations in high-profile products including Microsoft's IIS web server[14] and Apache's Tomcat servlet container.[15] Overlong encodings should therefore be considered an error and never decoded. Modified UTF-8 allows an overlong encoding of U+0000.
Byte map
The chart below gives the detailed meaning of each byte in a stream encoded in UTF-8.
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
0
␀
␁
␂
␃
␄
␅
␆
␇
␈
␉
␊
␋
␌
␍
␎
␏
1
␐
␑
␒
␓
␔
␕
␖
␗
␘
␙
␚
␛
␜
␝
␞
␟
2
␠
!
"
#
$
%
&
'
(
)
*
+
,
-
.
/
3
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?
4
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
5
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
^
_
6
`
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
7
p
q
r
s
t
u
v
w
x
y
z
{
|
}
~
␡
8
9
A
B
C
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
D
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
E
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
F
4
4
4
4
4
4
4
4
5
5
5
5
6
6
ASCII control character
ASCII character
Continuation byte
First byte of a 2-byte code point
First byte of a 3-byte code point
First byte of a 4-byte code point
Unused
Error handling
Not all sequences of bytes are valid UTF-8. A UTF-8 decoder should be prepared for:
Bytes that never appear in UTF-8: 0xC0, 0xC1, 0xF5–0xFF
A "continuation byte" (0x80–0xBF) at the start of a character
A non-continuation byte (or the string ending) before the end of a character
An overlong encoding (0xE0 followed by less than 0xA0, or 0xF0 followed by less than 0x90)
A 4-byte sequence that decodes to a value greater than U+10FFFF (0xF4 followed by 0x90 or greater)
Many of the first UTF-8 decoders would decode these, ignoring incorrect bits. Carefully crafted invalid UTF-8 could make them either skip or create ASCII characters such as NUL, slash, or quotes, leading to security vulnerabilities. It is also common to throw an exception or truncate the string at an error[16] but this turns what would otherwise be harmless errors (i.e. "file not found") into a denial of service, for instance early versions of Python 3.0 would exit immediately if the command line or environment variables contained invalid UTF-8.[17]
RFC 3629 states "Implementations of the decoding algorithm MUST protect against decoding invalid sequences."[18]The Unicode Standard requires decoders to: "... treat any ill-formed code unit sequence as an error condition. This guarantees that it will neither interpret nor emit an ill-formed code unit sequence." The standard now recommends replacing each error with the replacement character "�" (U+FFFD) and continue decoding.
Some decoders consider the sequence E1,A0,20 (a truncated 3-byte code followed by a space) as a single error. This is not a good idea as a search for a space character would find the one hidden in the error. Since Unicode 6 (October 2010)[19] the standard (chapter 3) has recommended a "best practice" where the error is either one continuation byte, or ends at the first byte that is disallowed, so E1,A0,20 is a two-byte error followed by a space. This means an error is no more than three bytes long and never contains the start of a valid character, and there are 21,952 different possible errors. Technically this makes UTF-8 no longer a prefix code (you have to read one byte past some errors to figure out they are an error), but searching still works if the searched-for string does not contain any errors.
Making each byte be an error, in which case E1,A0,20 is two errors followed by a space, also still allows searching for a valid string. This means there are only 128 different errors which makes it practical to store the errors in the output string,[20] or replace them with characters from a legacy encoding.
Only a small subset of possible byte strings are error-free UTF-8: several bytes cannot appear; a byte with the high bit set cannot be alone; and in a truly random string a byte with a high bit set has only a 1⁄15 chance of starting a valid UTF-8 character. This has the (possibly unintended) consequence of making it easy to detect if a legacy text encoding is accidentally used instead of UTF-8, making conversion of a system to UTF-8 easier and avoiding the need to require a Byte Order Mark or any other metadata.
Surrogates
Since RFC 3629 (November 2003), the high and low surrogates used by UTF-16 (U+D800 through U+DFFF) are not legal Unicode values, and their UTF-8 encodings must be treated as an invalid byte sequence.[18] These encodings all start with 0xED followed by 0xA0 or higher. This rule is often ignored as surrogates are allowed in Windows filenames and this means there must be a way to store them in a string.[21] UTF-8 that allows these surrogate halves has been (informally) called WTF-8,[22] while another variation that also encodes all non-BMP characters as two surrogates (6 bytes instead of 4) is called CESU-8.
Byte-order mark
If the Unicode byte-order markU+FEFF is at the start of a UTF-8 file, the first three bytes will be 0xEF, 0xBB, 0xBF.
The Unicode Standard neither requires nor recommends the use of the BOM for UTF-8, but warns that it may be encountered at the start of a file trans-coded from another encoding.[23] While ASCII text encoded using UTF-8 is backward compatible with ASCII, this is not true when Unicode Standard recommendations are ignored and a BOM is added. A BOM can confuse software that isn't prepared for it but can otherwise accept UTF-8, e.g. programming languages that permit non-ASCII bytes in string literals but not at the start of the file. Nevertheless, there was and still is software that always inserts a BOM when writing UTF-8, and refuses to correctly interpret UTF-8 unless the first character is a BOM (or the file only contains ASCII).[24]
For a long time there was considerable argument as to whether it was better to process text in UTF-16 or in UTF-8.
The primary advantage of UTF-16 is that the Windows API required it to be used to get access to all Unicode characters (only recently has this been fixed). This caused several libraries such as Qt to also use UTF-16 strings which propagates this requirement to non-Windows platforms.
In the early days of Unicode there were no characters greater than U+FFFF and combining characters were rarely used, so the 16-bit encoding was fixed-size. This made processing of text more efficient, though the gains are nowhere as great as novice programmers may imagine. All such advantages were lost as soon as UTF-16 became variable width as well.
The code points U+0800–U+FFFF take 3 bytes in UTF-8 but only 2 in UTF-16. This led to the idea that text in Chinese and other languages would take more space in UTF-8. However, text is only larger if there are more of these code points than 1-byte ASCII code points, and this rarely happens in the real-world documents due to spaces, newlines, digits, punctuation, English words, and (depending on document format) markup.
UTF-8 has the advantages of being trivial to retrofit to any system that could handle an extended ASCII, not having byte-order problems, and taking about 1/2 the space for any language using mostly Latin letters.
UTF-8 has been the most common encoding for the World Wide Web since 2008.[26] As of November 2024[update], UTF-8 is used by 98.4% of surveyed web sites.[27] Although many pages only use ASCII characters to display content, very few websites now declare their encoding to only be ASCII instead of UTF-8.[28] Virtually all countries and languages have 95% or more use of UTF-8 encodings on the web.
Many standards only support UTF-8, e.g. JSON exchange requires it (without a byte-order mark (BOM)).[29] UTF-8 is also the recommendation from the WHATWG for HTML and DOM specifications, and stating "UTF-8 encoding is the most appropriate encoding for interchange of Unicode"[4] and the Internet Mail Consortium recommends that all e‑mail programs be able to display and create mail using UTF-8.[30][31] The World Wide Web Consortium recommends UTF-8 as the default encoding in XML and HTML (and not just using UTF-8, also declaring it in metadata), "even when all characters are in the ASCII range ... Using non-UTF-8 encodings can have unexpected results".[32]
Lots of software has the ability to read/write UTF-8. It may though require the user to change options from the normal settings, or may require a BOM (byte-order mark) as the first character to read the file. Examples of software supporting UTF-8 include Microsoft Word,[33][34][35]Microsoft Excel (2016 and later),[36][37]Google Drive, LibreOffice and most databases.
Software that "defaults" to UTF-8 (meaning it writes it without the user changing settings, and it reads it without a BOM) has become more common since 2010.[38]Windows Notepad, in all currently supported versions of Windows, defaults to writing UTF-8 without a BOM (a change from Windows 7Notepad), bringing it into line with most other text editors.[39] Some system files on Windows 11 require UTF-8[40] with no requirement for a BOM, and almost all files on macOS and Linux are required to be UTF-8 without a BOM.[citation needed] Programming languages that default to UTF-8 for I/O include Ruby 3.0,[41][42]R 4.2.2,[43]Raku and Java 18.[44] Although the current version of Python requires an option to open() to read/write UTF-8,[45] plans exist to make UTF-8 I/O the default in Python 3.15.[46]C++23 adopts UTF-8 as the only portable source code file format.[47]
Backwards compatibility is a serious impediment to changing code and APIs using UTF-16 to use UTF-8, but this is happening. As of May 2019[update], Microsoft added the capability for an application to set UTF-8 as the "code page" for the Windows API, removing the need to use UTF-16; and more recently has recommended programmers use UTF-8,[48] and even states "UTF-16 [...] is a unique burden that Windows places on code that targets multiple platforms".[3]
The default string primitive in Go,[49]Julia, Rust, Swift (since version 5),[50] and PyPy[51] uses UTF-8 internally in all cases. Python (since version 3.3) uses UTF-8 internally for Python C API extensions[52][53] and sometimes for strings[52][54] and a future version of Python is planned to store strings as UTF-8 by default.[55][56] Modern versions of Microsoft Visual Studio use UTF-8 internally.[57] Microsoft's SQL Server 2019 added support for UTF-8, and using it results in a 35% speed increase, and "nearly 50% reduction in storage requirements."[58]
Java internally uses Modified UTF-8 (MUTF-8), in which the null characterU+0000 uses the two-byte overlong encoding 0xC0, 0x80, instead of just 0x00.[59] Modified UTF-8 strings never contain any actual null bytes but can contain all Unicode code points including U+0000,[60] which allows such strings (with a null byte appended) to be processed by traditional null-terminated string functions. Java reads and writes normal UTF-8 to files and streams,[61] but it uses Modified UTF-8 for object serialization,[62][63] for the Java Native Interface,[64] and for embedding constant strings in class files.[65] The dex format defined by Dalvik also uses the same modified UTF-8 to represent string values.[66]Tcl also uses the same modified UTF-8[67] as Java for internal representation of Unicode data, but uses strict CESU-8 for external data. All known Modified UTF-8 implementations also treat the surrogate pairs as in CESU-8.
Raku programming language (formerly Perl 6) uses utf-8 encoding by default for I/O (Perl 5 also supports it); though that choice in Raku also implies "normalization into Unicode NFC (normalization form canonical). In some cases you may want to ensure no normalization is done; for this you can use utf8-c8".[68] That UTF-8 Clean-8 variant, implemented by Raku, is an encoder/decoder that preserves bytes as is (even illegal UTF-8 sequences) and allows for Normal Form Grapheme synthetics.[69]
Version 3 of the Python programming language treats each byte of an invalid UTF-8 bytestream as an error (see also changes with new UTF-8 mode in Python 3.7[70]); this gives 128 different possible errors. Extensions have been created to allow any byte sequence that is assumed to be UTF-8 to be losslessly transformed to UTF-16 or UTF-32, by translating the 128 possible error bytes to reserved code points, and transforming those code points back to error bytes to output UTF-8. The most common approach is to translate the codes to U+DC80...U+DCFF which are low (trailing) surrogate values and thus "invalid" UTF-16, as used by Python's PEP 383 (or "surrogateescape") approach.[20] Another encoding called MirBSD OPTU-8/16 converts them to U+EF80...U+EFFF in a Private Use Area.[71] In either approach, the byte value is encoded in the low eight bits of the output code point. These encodings are needed if invalid UTF-8 is to survive translation to and then back from the UTF-16 used internally by Python, and as Unix filenames can contain invalid UTF-8 it is necessary for this to work.[72]
Standards
The official name for the encoding is UTF-8, the spelling used in all Unicode Consortium documents. The hyphen-minus is required and no spaces are allowed. Some other names used are:
Most standards are also case-insensitive and utf-8 is often used.[citation needed]
Web standards (which include CSS, HTML, XML, and HTTP headers) also allow utf8 and many other aliases.[73]
They are all the same in their general mechanics, with the main differences being on issues such as allowed range of code point values and safe handling of invalid input.
^Wouters, Thomas (2023-07-11). "Python 3.12.0 beta 4 released". Python Insider (pythoninsider.blogspot.com) (blog post). Retrieved 2023-07-26. The deprecated wstr and wstr_length members of the C implementation of unicode objects were removed, per PEP 623.
^"validate-charset (validate for compatible characters)". docs.microsoft.com. Retrieved 2021-07-19. Visual Studio uses UTF-8 as the internal character encoding during conversion between the source character set and the execution character set.
^Liviu (2014-02-07). "UTF-8 codepage 65001 in Windows 7 - part I". Retrieved 2018-01-30. Previously under XP (and, unverified, but probably Vista, too) for loops simply did not work while codepage 65001 was active