WebUtils
EN

Developer Workflow

Fix double-encoded query parameters

Recover broken URL links when `%` characters were encoded twice during redirects, webhook forwarding, or third-party OAuth callbacks.

Open Url Encoder Decoder

Problem

Many callback URLs and webhook URLs are encoded more than once during proxying. When `%` becomes `%25`, some systems treat the value as literal text, and you get malformed links, signature mismatches, or hidden tracking values that look correct at first glance.

When to use this

  • An OAuth redirect URL returns an invalid_request or callback error.
  • A webhook endpoint receives encoded payload values with `%2520`, `%253A`, or `%257B` patterns.
  • Analytics/tracker parameters break because one layer is decoded too late or too early.
  • You need to compare an original URL against one cleanly decoded variant before testing.

Steps

  1. Step 1

    Capture the full raw URL

    Copy the complete URL from the browser, logs, or callback payload. Do not trim at `?` or `&`; both sides of the query must stay intact.

  2. Step 2

    Check key shape first

    Open `URL Parser` to inspect query parameter keys and confirm which parameter actually carries the nested value (for example `state`, `redirect`, `returnUrl`, or `callback`).

  3. Step 3

    Decode in one controlled step

    Run one decode pass and verify nested values. If `%2520` becomes `%20` but still fails in the receiving system, a second decode may be required—but only for the nested value.

  4. Step 4

    Re-encode only at the end

    After you confirm a valid URL, encode once before returning it to app config, callback allowlists, or redirect registration.

Example

OAuth state parameter with double encoding

Input

https://app.example.com/callback?state=%257B%2522next%2522%253A%2522https%253A%252F%252Fclient.example.com%252Fpost-login%253Futm%253Dsource%2520campaign%2522%257D

Output

https://app.example.com/callback?state={"next":"https://client.example.com/post-login?utm=source campaign"}

Common mistakes

Decoding the entire URL repeatedly

Decoding the full URL more than once can break punctuation (`?`, `&`, `/`) and make the link impossible to recover. Keep control at parameter scope.

Mixing decode and encode order

Encoding before validation can hide corruption. Validate a raw-decoded value first, then encode once for transport.

Assuming `+` always means space

In URL query strings, `+` behavior differs by server framework and parser. If behavior is inconsistent, decode and inspect by test, then normalize intentionally.

FAQ

How many times should I decode?

Usually once. Use second-pass decoding only on the nested value you identified, not on the full URL.

Is this a 301 redirect problem?

Sometimes. If a proxy or CDN normalizes URLs before forwarding, check redirect config. But many issues are just double-encoded query values.

Which tool should I start with?

Start with `URL Encoder and Decoder` to test decode layers, then `URL Parser` and `Query String Parser` to verify parameter boundaries.