XML URL Decode Online — Decode URL-Encoded XML

Reverse percent-encoding on XML payloads carried in URL parameters, SOAP-over-GET requests, and form bodies. Restore angle brackets, attributes, and SOAP envelopes — instantly, 100% in your browser.

Input (percent-encoded)

Output (decoded XML)

What is XML URL Decoding?

XML URL decoding reverses the percent-encoding applied to an XML payload before it was placed into a URL or form body. Every %3C becomes <, every %3E becomes >, every %26 becomes &, and multi-byte sequences like %C3%A9 become the original UTF-8 characters. The result is the readable XML document the sender originally produced.

SOAP-over-GET requests, SAML/XACML callbacks, legacy banking and government APIs, and any application/x-www-form-urlencoded POST that ships an XML body all transport their payload as a percent-encoded blob. The OpenFormatter XML URL decoder runs decodeURIComponent in your browser — no upload — so even SOAP envelopes containing credentials stay on your device.

How to URL-decode XML — 4 steps

Find the parameter. In the URL or form body, locate the XML parameter — typically named xml, payload, body, or SAMLRequest — and copy its value (after =, before the next &).
Paste the value only. Drop the percent-encoded string into the Input panel without keys or delimiters.
Click Decode. The tool converts + to space, then resolves every %XX byte sequence using decodeURIComponent.
Format or validate. Paste the decoded XML into the XML Formatter for indentation or the XML Validator for well-formedness checks.

Side-by-side example

Percent-encoded

%3Csoap%3AEnvelope%3E
%3Csoap%3ABody%3E
%3CgetUser%20id%3D%2242%22%2F%3E
%3C%2Fsoap%3ABody%3E
%3C%2Fsoap%3AEnvelope%3E

Decoded XML

<soap:Envelope>
<soap:Body>
<getUser id="42"/>
</soap:Body>
</soap:Envelope>

RFC 3986 + Form Bodies

Decodes both strict RFC 3986 percent-encoding and application/x-www-form-urlencoded payloads where + represents a space.

UTF-8 Multi-Byte

Resolves multi-byte sequences (%C3%A9 → é, %E2%82%AC → €) so non-ASCII XML content survives the round-trip without loss.

Client-Side Only

decodeURIComponent runs in your browser. SOAP envelopes, SAML assertions, and embedded credentials never reach a server.

Common use cases

check_circleDecoding SOAP envelopes carried as a single GET query parameter
check_circleRestoring SAMLRequest and SAMLResponse parameters from SSO redirect URLs
check_circleReading XML payloads from application/x-www-form-urlencoded POST bodies in server logs
check_circleDecoding XACML and WS-Federation state values from OAuth callback URIs
check_circleInspecting legacy banking and government API XML transported via GET
check_circleRestoring XML embedded in deep-link parameters for preview and debug pages
check_circleReading webhook diagnostic captures where XML was URL-encoded for transport
check_circleDecoding XML from analytics tracking parameters after backend logging

URL decoding vs XML unescaping — pick the right step

URL decoding reverses %XX percent-encoding. XML unescaping reverses </&/> entity references. They operate at different layers: a typical SOAP-over-GET payload was first XML-escaped (so < in textual content became <), then URL-encoded (so the whole document became %XX bytes). Decode in reverse order — URL decode first, then XML unescape if you need raw text rather than valid XML structure.

Need to encode instead?

Re-percent-encode XML for embedding in a URL or form body, or chain with our other XML tools — all browser-side.

XML URL Encode XML Formatter All XML Tools

Frequently Asked Questions

When does XML end up percent-encoded inside a URL?

Three common situations. First, GET-style SOAP and legacy enterprise APIs that accept the full envelope as a query parameter. Second, redirect callback URLs that round-trip an XML state value (XACML, SAML LogoutRequest, certain WS-Federation flows). Third, application/x-www-form-urlencoded POST bodies where every byte of an XML payload is escaped to fit the form spec.

Why does my decoded XML have + signs that should be spaces?

The + character represents a space only inside application/x-www-form-urlencoded payloads — not in RFC 3986 query strings. This tool replaces every + with %20 before decoding so form-encoded values round-trip correctly. If your input came from a strict RFC 3986 source where + is meant literally, decode without the substitution by stripping the +-handling step in your own code.

Does this validate that the decoded result is well-formed XML?

No — the tool only reverses percent-encoding. After decoding, paste the result into the XML Validator or XML Formatter to confirm the document parses cleanly and has correct structure.

How do I extract just the XML from a full URL?

Identify the parameter that carries the XML (commonly named xml, payload, body, or saml). Copy the value after the equals sign and before the next ampersand. Paste only that segment — keys and delimiters in the input add literal text to the decoded output.

How are multi-byte UTF-8 sequences handled?

decodeURIComponent reads consecutive %XX bytes as a UTF-8 byte sequence and returns the corresponding code point. So %C3%A9 becomes é, %E2%82%AC becomes €, and %F0%9F%9A%80 becomes 🚀. If the input contains a malformed sequence — for example an isolated %C3 without its continuation byte — the function throws URIError and the tool surfaces the error.

Why do I see %26 in the input even though the data is XML?

XML uses & inside &, <, ", etc. When the entire XML is then percent-encoded for a URL, every & — including those inside entity references — becomes %26. After decoding, you will see & restored to its escaped form (&); this is correct because the underlying XML still contains the entity reference. Run XML Unescape next if you need the actual literal characters.

Is there a length limit?

The tool itself has no hard limit, but the URLs that carried the XML do. Most browsers and proxies cap URLs around 2,000–8,000 characters, so XML payloads larger than ~500 lines were almost certainly transported in a POST body, not a query string. If you have a long input, it likely came from a form body or a server log rather than a live URL.

Is my XML uploaded to a server?

No. decodeURIComponent runs in your browser. SOAP envelopes, SAML assertions, and any embedded credentials never leave the page. Verify in DevTools → Network — no request fires when you click Decode.