Document Workflow

Debug encoded query parameters without double-decoding them

Preserve raw query evidence, identify form-plus and percent-decoding boundaries, inspect one nested string grammar, and rebuild only the broken parameter layer.

Written and tested by Published: Reviewed:

How this workflow was checked

Using Developer Conversion Workbench, we reproduced “Keep repeated tags while separating URL and JSON-string decoding” from the exact sample input. The result comparison covered “Choose URL source or query-text source explicitly” and “Compare every raw and decoded entry in order”; the linked test evidence was then checked for “Replacing plus signs globally” and “Using a string unescaper as a URL decoder”.

Repeated tag values stayed ordered, q became “C++ URL,” message became two lines only after its second-format decode, the bare flag survived, and #results remained a fragment.

Problem

A query value can pass through URL parsing, form-query decoding, a framework parameter API, JSON parsing, and application-specific unescaping. Applying decodeURIComponent or a string unescaper to the entire URL can activate protected ampersands, turn a literal plus into a space, collapse duplicate evidence, or decode a nested value one layer too early. This workflow records each layer before changing one component.

When to use this

  • A C++, phone-number, signature, or search value changes because +, %2B, and %20 are being treated as interchangeable.
  • A repeated filter, tag, scope, or state key reaches the backend with only one value.
  • A query value contains JSON string escapes such as \n or \uXXXX after URL decoding.
  • A returnUrl, next, redirect, or payload value contains encoded ampersands, equals signs, question marks, or a fragment.
  • A client and server log show different values but neither log preserves the original raw query segment.

Steps

  1. Step 1

    Capture the exact request target before editing

    Keep a private copy of the original URL or raw query. Remove live tokens, authorization codes, personal data, and credentials from anything that will be shared, but preserve ampersands, equals signs, repeated keys, plus signs, percent bytes, and the fragment structure in the protected evidence.

  2. Step 2

    Choose URL source or query-text source explicitly

    Open Query strings in Developer Conversion Workbench. Use Absolute URL when you have the complete request URL, or Query text when you have only the part after ?. URL source mode validates the absolute URL and excludes the fragment before splitting entries.

  3. Step 3

    Compare every raw and decoded entry in order

    Run the report and inspect raw key, raw value, decoded key, decoded value, equals-sign state, empty segments, and repeated keys. A raw + becomes a decoded space under form rules; %2B becomes a literal plus. Do not collapse repeated keys until the receiving framework is tested.

  4. Step 4

    Isolate exactly one nested value

    Copy only the decoded value that still contains another grammar. If it is JSON string content containing sequences such as \n, open String escapes, choose JSON and Unescape, and process that value alone. If it is a nested URL, parse that value separately instead of decoding the outer URL again.

  5. Step 5

    Repair one layer and encode it once

    Change the proven broken value in its native form. Use URL Encoder and Decoder on that single query component when reserved characters must survive transport. Avoid global replacement and repeated decode-until-readable loops because they destroy evidence about the original layer.

  6. Step 6

    Reparse and reproduce the actual receiver

    Insert the repaired component into the outer query, run the report again, and compare raw and decoded columns with the intended values. Then send it only in a controlled environment and record what the real framework exposes for duplicate keys, blank values, plus signs, and nested content.

Example

Keep repeated tags while separating URL and JSON-string decoding

Input

https://example.com/search?tag=one&tag=two&q=C%2B%2B+URL&message=Line%5CnNext&flag#results

Output

tag stays as two ordered entries; q decodes to C++ URL; message URL-decodes to the JSON string content Line\nNext and then JSON-unescapes to two lines; flag remains an entry without an equals sign; #results is excluded from the query

Common mistakes

Decoding the complete URL

Decoding all percent escapes at once can activate a nested &, =, ?, or # in the outer layer. Parse the outer query first and process only the selected value.

Replacing plus signs globally

At each decoding layer, record whether + arrived literally or as %2B. Replacing every plus before the current layer is understood can damage C++, signatures, phone numbers, and opaque identifiers.

Using a string unescaper as a URL decoder

Backslash escapes and percent escapes are different grammars. URL-decode the parameter layer first, then unescape only nested JSON or JavaScript string content when that grammar is actually present.

Flattening repeated keys into an object

Object conversion can retain only one value. Preserve ordered entries until the receiver's first-value, last-value, or list behavior has been observed.

Sharing raw production parameters

Local processing does not remove secrets from screenshots or downloaded reports. Redact tokens, personal data, authorization codes, and proprietary payloads before evidence leaves the trusted environment.

FAQ

How many times should a query parameter be decoded?

Decode once for each documented encoding layer. Start with the outer query, inspect the resulting one parameter value, and decode a nested URL or string grammar only when that value is explicitly encoded for another parser.

Why are flag and empty= shown differently?

flag has no equals sign, while empty= explicitly supplies an empty value. Some frameworks treat them the same and others do not, so the report preserves the syntax instead of choosing a policy.

Which value wins when a query key repeats?

The URL preserves source order, but frameworks differ: first, last, list, or custom behavior are all possible. Test the actual receiver rather than collapsing the values during diagnosis.

Should I choose JSON or JavaScript for backslash escapes?

Choose the grammar of the parser that consumes the nested string. JSON is stricter. JavaScript mode supports additional explicit forms but still rejects unknown, legacy octal, trailing, and malformed Unicode escapes.

Does a successful local report prove the request will work?

No. It proves only that the bounded local syntax was processed under the selected rules. Proxy rewriting, framework parsing, signatures, redirects, authorization, network behavior, and destination safety require separate tests.

Does the workbench send my URL or parameter values anywhere?

No network request is made for these transformations. Analytics receives only the selected mode and aggregate counts, not URL text, keys, values, nested payloads, or generated reports.