Decoding query parameters safely means respecting the boundary between URL syntax and parameter data. Split the query string into parameters first, then decode each parameter name and value according to the encoding format it uses.
For manual inspection, paste individual values into the URL Decode tool rather than blindly decoding an entire complex URL.
How do I decode query parameters safely?
Decode query parameters safely by parsing the URL first, splitting the query at real & separators, then decoding each name and value exactly once. This prevents encoded separators such as %26 and %3D from being mistaken for actual query syntax.
Why not decode the whole query string first?
Decoding the whole query string first can turn data back into syntax. For example, %26 becomes & and %3D becomes =, which may make one parameter value look like multiple parameters after decoding.
Should plus signs become spaces in query parameters?
Plus signs become spaces only when the query string uses form encoding. Many web frameworks treat query strings this way, but plain decodeURIComponent does not. If a literal plus is important, it should have been encoded as %2B.
How do I decode a nested redirect URL?
Decode a nested redirect URL one layer at a time. First parse the outer URL and extract the redirect_uri, next, or return_to value. Then decode that value and inspect the inner URL separately, rather than decoding everything in one pass.
How many times should I decode a parameter?
Decode a parameter once unless you can prove it was intentionally encoded more than once. Repeated decoding can change literal percent signs into escape sequences or turn safely encoded delimiters into active URL syntax.
What are signs that a query value is still encoded?
A query value is probably still encoded if it contains readable percent sequences such as %20, %2F, %3A, %3F, or %26 after one decode. That may be correct for nested URLs, but it is also a clue to inspect the value layer by layer.
What tool should I use for manual debugging?
Use the URL Decode tool for each suspicious query value, not only for the full URL. For edited values, use the URL Encode tool before putting them back into the link.