this was done in r1150391 by martin for http://wicket.apache.org/2011/08/23/cve-2011-2712.html
-igor On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens <[email protected]> wrote: > Hi, > > I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding. > If a parameter value contains a single quote, these quotes are now > preceeded by a backslash (this happens in RequestCycle#encodeUrlFor). > > Why is this done? I've never heard of backslash-escaping in relation to > URLs. > > As far as I can tell, this also breaks compatibility with apps/sites that > now need additional code to parse parameters like > example.com?param=a'b which is now represented as param=a\'b. Even if the > backslash were necessary in a URL, it should be URL-escaped as %5c. > > Am I missing something? > > Regards > Gereon > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
