This was reported to me by Gareth Carter, the investigation is mine.
If for instance you use this SQL expression
It will be interpreted (and returned to UI) as
And no result will be returned when OOTB there is 6 <PartyRole partyId="***" roleTypeId="CARRIER"/> entities
This is because in UtilHttp.canonicalizeParameterMap() UtilHttp.canonicalizeParameter() is called. And inside the later UtilCodec.canonicalize() is used. So 2 ESAPI codecs are tested HTMLEntityCodec.decode() and PercentCodec.decode(). Only PercentCodec.decode() does a change so it's picked. In this case it should not, because nothing should be decoded. At this point, nothing has been encoded, the String the codec decodes is still "select * from Party_Role where role_Type_Id LIKE '%CA%'"
I read at https://en.wikipedia.org/wiki/Percent-encoding that though mostly planned for URL encoding percent encoding
is also used in the preparation of data of the application/x-www-form-urlencoded media type, as is often used in the submission of HTML form data in HTTP requests.
But in the specific case of a like in an SQL expression coming from the text area of webtools/control/EntitySQLProcessor it should not be used because the % followed by some chars, may be wrongly decoded.
Because there are no other ways provided by the percent codec to prevent the decoding (it's supposed to have been encoded before), I'm not quite proud of it but I found only this workaround so far