{
  "case": "double-encode",
  "description": "Double URL encoding - encoding special characters twice to bypass single-decode filters",
  "example": "Original: \u003cscript\u003ealert('xss')\u003c/script\u003e\nSingle encoded: %3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E\nDouble encoded: %253Cscript%253Ealert%2528%2527xss%2527%2529%253C%252Fscript%253E",
  "note": "These payloads are for testing WAF/proxy inspection. They are returned as strings and not executed.",
  "payload": "%253Cscript%253Ealert%2528%2527xss%2527%2529%253C%252Fscript%253E"
}