The credentials-binding-plugin tries to hide its secrets from the jenkins log. I presume the algoritm is to do a simple replace on the known passwords with ****
The trouble is, if you want to use that password to pass to git... as in...
that doesn't work because MYPASS has to be url encoded... so what one does is something like:
This now works BUT since your password is now URL encoded, the secret hiding algorithm will now reveal it in the log.
I suppose the simplest solution to this is to mask not only the password, but the url encoded password too.