Issue
I have the following request Url /search?charset=UTF-8&q=C%23C%2B%2B. My controller looks like
@RequestMapping(method = RequestMethod.GET, params = "q")
public String refineSearch(@RequestParam("q") final String searchQuery,....
and here i have searchQuery = 'CC++'. '#' is encoded in '%23' and '+' is '%2B'. Why searchQuery does not contain '#'?
Solution
Finally i found a problem.In filters chain ServletRequest is wrapped in XSSRequestWrapper with DefaultXSSValueTranslator and here is the method String stripXSS(String value) which iterates through pattern list,in case if value matches with pattern, method will delete it. Pattern list contains "\u0023" pattern and '#' will be replaced with ""
DefaultXSSValueTranslator.
private String stripXSS(String value) {
Pattern scriptPattern;
if (value != null && value.length() > 0) {
for(Iterator var3 = this.patterns.iterator(); var3.hasNext(); value = scriptPattern.matcher(value).replaceAll("")) {
scriptPattern = (Pattern)var3.next();
}
}
return value;
}
Answered By - Oleksandr Onopriienko
Answer Checked By - Marie Seifert (JavaFixing Admin)