Document Workflow
Debug encoded query parameters without double-decoding them
Preserve raw query evidence, identify form-plus and percent-decoding boundaries, inspect one nested string grammar, and rebuild only the broken parameter layer.
Written and tested by SimpleWebUtilsPublished: Reviewed:
How this workflow was checked
Using Developer Conversion Workbench, we reproduced “Keep repeated tags while separating URL and JSON-string decoding” from the exact sample input. The result comparison covered “Choose URL source or query-text source explicitly” and “Compare every raw and decoded entry in order”; the linked test evidence was then checked for “Replacing plus signs globally” and “Using a string unescaper as a URL decoder”.
Repeated tag values stayed ordered, q became “C++ URL,” message became two lines only after its second-format decode, the bare flag survived, and #results remained a fragment.
Problem
A query value can pass through URL parsing, form-query decoding, a framework parameter API, JSON parsing, and application-specific unescaping. Applying decodeURIComponent or a string unescaper to the entire URL can activate protected ampersands, turn a literal plus into a space, collapse duplicate evidence, or decode a nested value one layer too early. This workflow records each layer before changing one component.
When to use this
- A C++, phone-number, signature, or search value changes because +, %2B, and %20 are being treated as interchangeable.
- A repeated filter, tag, scope, or state key reaches the backend with only one value.
- A query value contains JSON string escapes such as \n or \uXXXX after URL decoding.
- A returnUrl, next, redirect, or payload value contains encoded ampersands, equals signs, question marks, or a fragment.
- A client and server log show different values but neither log preserves the original raw query segment.
Steps
- Step 1
Capture the exact request target before editing
Keep a private copy of the original URL or raw query. Remove live tokens, authorization codes, personal data, and credentials from anything that will be shared, but preserve ampersands, equals signs, repeated keys, plus signs, percent bytes, and the fragment structure in the protected evidence.
- Step 2
Choose URL source or query-text source explicitly
Open Query strings in Developer Conversion Workbench. Use Absolute URL when you have the complete request URL, or Query text when you have only the part after ?. URL source mode validates the absolute URL and excludes the fragment before splitting entries.
- Step 3
Compare every raw and decoded entry in order
Run the report and inspect raw key, raw value, decoded key, decoded value, equals-sign state, empty segments, and repeated keys. A raw + becomes a decoded space under form rules; %2B becomes a literal plus. Do not collapse repeated keys until the receiving framework is tested.
- Step 4
Isolate exactly one nested value
Copy only the decoded value that still contains another grammar. If it is JSON string content containing sequences such as \n, open String escapes, choose JSON and Unescape, and process that value alone. If it is a nested URL, parse that value separately instead of decoding the outer URL again.
- Step 5
Repair one layer and encode it once
Change the proven broken value in its native form. Use URL Encoder and Decoder on that single query component when reserved characters must survive transport. Avoid global replacement and repeated decode-until-readable loops because they destroy evidence about the original layer.
- Step 6
Reparse and reproduce the actual receiver
Insert the repaired component into the outer query, run the report again, and compare raw and decoded columns with the intended values. Then send it only in a controlled environment and record what the real framework exposes for duplicate keys, blank values, plus signs, and nested content.
Example
Keep repeated tags while separating URL and JSON-string decoding
Input
https://example.com/search?tag=one&tag=two&q=C%2B%2B+URL&message=Line%5CnNext&flag#resultsOutput
tag stays as two ordered entries; q decodes to C++ URL; message URL-decodes to the JSON string content Line\nNext and then JSON-unescapes to two lines; flag remains an entry without an equals sign; #results is excluded from the queryCommon mistakes
Decoding the complete URL
Decoding all percent escapes at once can activate a nested &, =, ?, or # in the outer layer. Parse the outer query first and process only the selected value.
Replacing plus signs globally
At each decoding layer, record whether + arrived literally or as %2B. Replacing every plus before the current layer is understood can damage C++, signatures, phone numbers, and opaque identifiers.
Using a string unescaper as a URL decoder
Backslash escapes and percent escapes are different grammars. URL-decode the parameter layer first, then unescape only nested JSON or JavaScript string content when that grammar is actually present.
Flattening repeated keys into an object
Object conversion can retain only one value. Preserve ordered entries until the receiver's first-value, last-value, or list behavior has been observed.
Sharing raw production parameters
Local processing does not remove secrets from screenshots or downloaded reports. Redact tokens, personal data, authorization codes, and proprietary payloads before evidence leaves the trusted environment.
FAQ
How many times should a query parameter be decoded?
Decode once for each documented encoding layer. Start with the outer query, inspect the resulting one parameter value, and decode a nested URL or string grammar only when that value is explicitly encoded for another parser.
Why are flag and empty= shown differently?
flag has no equals sign, while empty= explicitly supplies an empty value. Some frameworks treat them the same and others do not, so the report preserves the syntax instead of choosing a policy.
Which value wins when a query key repeats?
The URL preserves source order, but frameworks differ: first, last, list, or custom behavior are all possible. Test the actual receiver rather than collapsing the values during diagnosis.
Should I choose JSON or JavaScript for backslash escapes?
Choose the grammar of the parser that consumes the nested string. JSON is stricter. JavaScript mode supports additional explicit forms but still rejects unknown, legacy octal, trailing, and malformed Unicode escapes.
Does a successful local report prove the request will work?
No. It proves only that the bounded local syntax was processed under the selected rules. Proxy rewriting, framework parsing, signatures, redirects, authorization, network behavior, and destination safety require separate tests.
Does the workbench send my URL or parameter values anywhere?
No network request is made for these transformations. Analytics receives only the selected mode and aggregate counts, not URL text, keys, values, nested payloads, or generated reports.