How to make sure a string stays as a string when being passed into an API or function?

I have an API method in python as such:

@beapi.route("/edit_task/<taskID>/<updates>", methods = {"POST"})
def edit_task(taskID, updates)
    ...
    
    return jsonify("Success")

taskID and updates are both accepted as strings

it receives data from the front end using this API function in javascript:

export async function edit_task(task_id, updates){
    const api_url_ET = "http://127.0.0.1:5000/edit_task" + task_id + "/" + updates
    const response = await fetch(api_url_ET,{
        method: "POST",

        headers:{
            'Access-Control-Allow-Origin': '*'
        }
    });

    const data = await response.json();
    return data
}

task_id and updates are both strings, the problem in question arises at updates since it is an object being passed as a string

example:

edit_task("96408", '{"!set" : ["end_date", "2023/04/20"]}')

I get a CORS error because what the backend API receives is this:

http://127.0.0.1:5000/edit_task/96408/%7B%22!set%22%20:%20[%22end_date%22,%20%222023/04/20%22]%7D

How can I make sure updates is passed as a string?