...and other UTF-8 characters encoded in two hex. values like in this example:
The reason for this is the OWASP ESAPI PercentCodec implementation used within the method UtilCodec.canonicalize, called before the proper decoding via java.net.URLDecoder here:
The fix could be to only use the canonicalize logic to check the original value for double/mixed encoding and to encode the original value afterwards via URLDecoder instead of using the canonicalize output for this.
This way the UrlCodec decode method matches the encode method by only using URLDecoder / URLEncoder for doing the main job.