if a webhook URL contains a username and password for use with HTTP basic auth and the username is URL-encoded, the username will not be properly decoded before being sent to the external server.
Example: If you have a URL like "http://user%40example.com:password@example.com/foo", the username "user@example.com" should be sent (and the "%40" converted to "@").