Yes this is a bug IMO, please file an issue. The query string contents have no business influencing the spelling of the url path elements.
-Rob Ryan Working for, but not speaking for Adobe. -----Original Message----- From: Georg Köster [mailto:m...@georgkoester.de] Sent: Thursday, March 19, 2015 7:51 AM To: dev@sling.apache.org Subject: XSS protection path mangling issue: Bug or not? Hi all, I stumbled over this behavior: Last part in path gets prepended with an underscore if there is a colon in the query string. Test appended, to be applied on https://github.com/apache/sling/tree/196dea678c6010 Test output: Failed tests: XSSAPIImplTest.testGetValidHref:267 Requested '/content/items/searchpages.html?0_tag:id=geo' expected:</content/items/[searchpages.html?0_tag%3a]id=geo> but was:</content/items/[_searchpages.html?0_tag_]id=geo> Is this a bug? Should I create an issue ? Cheers, Georg