Tomcat 9.0.54 rejects my URL because of the "<" and ">" symbols. It rejects it also when in percent encoded forms "%3C" and "%3E". I also tried adding relaxedQueryChars="<>"
to the Connector in the server.xml but without avail.
The Tomcat instance is spun up by Cargo when running the Bloomreach CMS. The URL is as follows:
http://localhost:8080/site/api/documents?_expr=(hippostdpubwf:lastModificationDate%3Exs:dateTime('2021-04-09T20:56:18.496%2B02:00'))
Changing the %3E to a "=" (%3D) makes the URL accepted by Tomcat.
When spinning up a default Tomcat docker, this issue is not present.
Has anyone had a similar issue or could show me in a direction which might fix this issue?
EDIT: Replacing ">" with "gt" will result in a proper query without having to interfere with the XSSUrlFilter that Jeroen mentioned.
Looks like you're hitting the org.hippoecm.hst.container.XSSUrlFilter that is present by default in the web.xml of the site webapp.
It's a simple, extendable filter to prevent basic scripting attacks. Regards, Jeroen
PS you might like the forums at community.bloomreach.com