ColdFusion -- Do I need URLDecode with form POSTs? / URLDecode randomly removes one character

I'm using a WYSIWYG to allow users to format text. This is the error-causing text:

<p><span style="line-height: 115%">This text starts with a 'T'</span></p>

The error is that the 'T' in "This", or whatever the first letter happens to be, is randomly removed when using URLDecode and saving to the DB. Removing URLDecode on the server side seems to fix it without any negative side-effects (the DB contains the开发者_如何学Python same information).

The documentation says that

Query strings in HTTP are always URL-encoded.

Is this really the case? If so, why doesn't removing URLDecode seem to mess everything up?

So two questions:

1. Why is URLDecode causing the first text character to be removed like this (it seems to only happen when the line-height property is present)?
2. Do I really need (or would I even want) to use URLDecode before putting POSTed data into the database?

Edit: I made a test page to echo back the decoded text, and URLDecode is definitely removing that character, but I have no idea why.

I believe decoding is done automatically when form scope is populated. That's why characters after % (this char is used for encoding) are removed -- you are trying to decode the string second time.

For security reasons you might be interested in stripping script tags, or even cleaning up HTML using white-list. Try to search in CFLib.org for applicable functions.