If a website URL gets encoded then is the website still vulnerable to XSS or no?
For example, if I try <script>alert(1)</script> and the site URL encodes my payload to %3Cscript%3Ealert(1)%3C%2Fscript%3E does this mean the site is vulnerable to XSS or no?
The answer depends on how the page renders your payload.
If the target is a HTML page and the payload still appears as <script>alert(1)</script>, an XSS will occur, assuming no CSP or Chrome's XSS auditor. However, if the HTML page renders your payload in the URL syntax i.e. %3Cscript%3Ealert(1)%3C%2Fscript%3E, there won't be an XSS. Depending on where the payload is injected in the latter, I would also try special characters like " and ' to try escape the URL context to inject directly into the HTML (url) tag.
In that particular example, that parameter would not be vulnerable to XSS.
It does depend, you aren't giving a load of information, but generally speaking that seems to be something like: htmlspecialchars(htmlentities($input)) which is incredibly safe.
This does not mean that the SITE is not vulnerable, it just means that this parameter in particular seems to be safe.
This still depends, is the parameter injecting your input into a link, iframe, image, etc? If it is injecting within another element, it may be possible regardless using methods such as javascript: and data:.
