diff --git a/internal/waf/injectionutils/utils_sqli.go b/internal/waf/injectionutils/utils_sqli.go
index 7a44a5d..3b97797 100644
--- a/internal/waf/injectionutils/utils_sqli.go
+++ b/internal/waf/injectionutils/utils_sqli.go
@@ -69,6 +69,11 @@ func DetectSQLInjection(input string) bool {
 				return detectSQLInjectionOne(args)
 			}
 		}
+	} else {
+		unescapedInput, err := url.QueryUnescape(input)
+		if err == nil && input != unescapedInput {
+			return detectSQLInjectionOne(unescapedInput)
+		}
 	}
 
 	return false
diff --git a/internal/waf/injectionutils/utils_sqli_test.go b/internal/waf/injectionutils/utils_sqli_test.go
index 6e22b20..08bab8c 100644
--- a/internal/waf/injectionutils/utils_sqli_test.go
+++ b/internal/waf/injectionutils/utils_sqli_test.go
@@ -16,6 +16,7 @@ import (
 func TestDetectSQLInjection(t *testing.T) {
 	var a = assert.NewAssertion(t)
 	a.IsTrue(injectionutils.DetectSQLInjection("' UNION SELECT * FROM myTable"))
+	a.IsTrue(injectionutils.DetectSQLInjection("id=1 ' UNION  select * from a"))
 	a.IsTrue(injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--"))
 	a.IsFalse(injectionutils.DetectSQLInjection("' UNION SELECT1 * FROM myTable"))
 	a.IsFalse(injectionutils.DetectSQLInjection("1234"))
@@ -27,6 +28,7 @@ func TestDetectSQLInjection(t *testing.T) {
 	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/sql/injection?id=123%20or%201=1"))
+	a.IsTrue(injectionutils.DetectSQLInjection("id=123%20or%201=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/' or 1=1"))
 }
 
@@ -98,7 +100,7 @@ func BenchmarkDetectSQLInjection_Normal_Large(b *testing.B) {
 
 	b.RunParallel(func(pb *testing.PB) {
 		for pb.Next() {
-			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=" + types.String(rands.Int64()%10000) + "&s=" + s)
+			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=" + types.String(rands.Int64()%10000) + "&s=" + s + "&v=%20")
 		}
 	})
 }
diff --git a/internal/waf/injectionutils/utils_xss.go b/internal/waf/injectionutils/utils_xss.go
index 0808129..7a9c55c 100644
--- a/internal/waf/injectionutils/utils_xss.go
+++ b/internal/waf/injectionutils/utils_xss.go
@@ -68,6 +68,11 @@ func DetectXSS(input string) bool {
 				return detectXSSOne(args)
 			}
 		}
+	} else {
+		unescapedInput, err := url.QueryUnescape(input)
+		if err == nil && input != unescapedInput {
+			return detectXSSOne(unescapedInput)
+		}
 	}
 
 	return false
diff --git a/internal/waf/injectionutils/utils_xss_test.go b/internal/waf/injectionutils/utils_xss_test.go
index 7abc1c7..4cab416 100644
--- a/internal/waf/injectionutils/utils_xss_test.go
+++ b/internal/waf/injectionutils/utils_xss_test.go
@@ -23,6 +23,7 @@ func TestDetectXSS(t *testing.T) {
 	a.IsTrue(injectionutils.DetectXSS("onkeyup=a"))
 	a.IsTrue(injectionutils.DetectXSS("<iframe scrolling='no'>"))
 	a.IsFalse(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>"))
+	a.IsTrue(injectionutils.DetectXSS("name=s&description=%3Cscript+src%3D%22a.js%22%3Edddd%3C%2Fscript%3E"))
 }
 
 func BenchmarkDetectXSS_MISS(b *testing.B) {