I just ran into an issue with the URL scope when the following query string was passed:
?import=NwEkZjMvTrI%2CGuitar%20Teacher%20REACTS%3A%20Dead%20&%3B%20Company%20"%3BSugaree"%3B%20%7C%20LIVE%204K
It ends up with the URL scope looking like this:
Thoughts? Bug?
OS: Windows 10
Java Version: 11.0.11 (AdoptOpenJDK) 64bit
Tomcat Version: 9.0.46
Lucee Version: 5.3.8.206
Needs more context IMO before throwing up the 
flag. Some code may help.
At a glance, it looks like you html encoded data into a string (& became &) and then used that string as the URL If URL was the intention, URL encoding should be used.
Based on the string you posted, there’s no Lucee bug.
Ahhh… I didn’t notice that (it was late!!). I was taking an existing URL param and using cflocation to relocate to a different endpoint. In doing so, I simply appended the original URL param into the new endpoint without calling urlEncodedFormat() because I assumed that the original URL param wasn’t modified.
newUrl = "https://mysite.com/?import=#url.import#"
cflocation(url=urlRelocate, addToken=false);
should have been:
newUrl = "https://site.com/import/?import=#urlEncodedFormat(url.import)#"
cflocation(url=urlRelocate, addToken=false);