diff --git a/dlls/webservices/url.c b/dlls/webservices/url.c
index 8bd3d82660f..6f2ce9d6c97 100644
--- a/dlls/webservices/url.c
+++ b/dlls/webservices/url.c
@@ -87,11 +87,13 @@ static inline int url_decode_byte( char c1, char c2 )
 
     if (c1 >= '0' && c1 <= '9') ret = (c1 - '0') * 16;
     else if (c1 >= 'a' && c1 <= 'f') ret = (c1 - 'a' + 10) * 16;
-    else ret = (c1 - 'A' + 10) * 16;
+    else if (c1 >= 'A' && c1 <= 'F') ret = (c1 - 'A' + 10) * 16;
+    else return -1;
 
     if (c2 >= '0' && c2 <= '9') ret += c2 - '0';
     else if (c2 >= 'a' && c2 <= 'f') ret += c2 - 'a' + 10;
-    else ret += c2 - 'A' + 10;
+    else if (c2 >= 'A' && c2 <= 'F') ret += c2 - 'A' + 10;
+    else return -1;
 
     return ret;
 }
@@ -102,15 +104,16 @@ static WCHAR *url_decode( WCHAR *str, ULONG len, WS_HEAP *heap, ULONG *ret_len )
     BOOL decode = FALSE, convert = FALSE;
     ULONG i, len_utf8, len_left;
     unsigned char *utf8, *r;
+    int b;
 
     *ret_len = len;
     for (i = 0; i < len; i++, p++)
     {
         if ((len - i) < 3) break;
-        if (p[0] == '%' && iswxdigit( p[1] ) && iswxdigit( p[2] ))
+        if (p[0] == '%' && (b = url_decode_byte( p[1], p[2] )) != -1)
         {
             decode = TRUE;
-            if (url_decode_byte( p[1], p[2] ) > 159)
+            if (b > 159)
             {
                 convert = TRUE;
                 break;
@@ -125,9 +128,9 @@ static WCHAR *url_decode( WCHAR *str, ULONG len, WS_HEAP *heap, ULONG *ret_len )
         p = str;
         while (len)
         {
-            if (len >= 3 && p[0] == '%' && iswxdigit( p[1] ) && iswxdigit( p[2] ))
+            if (len >= 3 && p[0] == '%' && (b = url_decode_byte( p[1], p[2] )) != -1)
             {
-                *q++ = url_decode_byte( p[1], p[2] );
+                *q++ = b;
                 p += 3;
                 len -= 3;
             }
@@ -144,9 +147,9 @@ static WCHAR *url_decode( WCHAR *str, ULONG len, WS_HEAP *heap, ULONG *ret_len )
     len_left = len_utf8;
     while (len_left)
     {
-        if (len_left >= 3 && r[0] == '%' && isxdigit( r[1] ) && isxdigit( r[2] ))
+        if (len_left >= 3 && r[0] == '%' && (b = url_decode_byte( r[1], r[2] )) != -1)
         {
-            r[0] = url_decode_byte( r[1], r[2] );
+            r[0] = b;
             len_left -= 3;
             memmove( r + 1, r + 3, len_left );
             len_utf8 -= 2;
@@ -214,7 +217,7 @@ HRESULT WINAPI WsDecodeUrl( const WS_STRING *str, ULONG flags, WS_HEAP *heap, WS
     if (len && *q == ':')
     {
         p = ++q; len--;
-        while (len && iswdigit( *q ))
+        while (len && '0' <= *q && *q <= '9')
         {
             if ((port = port * 10 + *q - '0') > 65535) goto done;
             q++; len--;
@@ -481,7 +484,7 @@ HRESULT WINAPI WsEncodeUrl( const WS_URL *base, ULONG flags, WS_HEAP *heap, WS_S
     {
         q = url->portAsString.chars;
         len = url->portAsString.length;
-        while (len && iswdigit( *q ))
+        while (len && '0' <= *q && *q <= '9')
         {
             if ((port = port * 10 + *q - '0') > 65535)
             {