https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #25 from Mark Thomas <ma...@apache.org> --- I'm neutral on adding '<' and '>' as allowed options. I think '"' is in the same category. i.e. there is the risk that unexpected reverse proxy behaviour will trigger a CVE-2016-6816 like issue, no parsing issues and likelihood of breakage if the URL is used in HTML or similar without escaping. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org