Fixes #255 - Incorrect double-unescaping of request parameters breaks restricted mode check on view name presence

Author: danielfernandez

thymeleaf-spring3/src/main/java/org/thymeleaf/spring3/util/SpringRequestUtils.java

@@ -52,7 +52,7 @@ public static void checkViewNameNotInRequest(final String viewName, final HttpSe
             while (!found && paramNames.hasMoreElements()) {
                 paramValues = request.getParameterValues(paramNames.nextElement());
                 for (int i = 0; !found && i < paramValues.length; i++) {
-                    paramValue = StringUtils.pack(UriEscape.unescapeUriQueryParam(paramValues[i]));
+                    paramValue = StringUtils.pack(paramValues[i]);
                     if (paramValue.contains(vn)) {
                         found = true;
                     }

thymeleaf-spring4/src/main/java/org/thymeleaf/spring4/util/SpringRequestUtils.java

@@ -52,7 +52,7 @@ public static void checkViewNameNotInRequest(final String viewName, final HttpSe
             while (!found && paramNames.hasMoreElements()) {
                 paramValues = request.getParameterValues(paramNames.nextElement());
                 for (int i = 0; !found && i < paramValues.length; i++) {
-                    paramValue = StringUtils.pack(UriEscape.unescapeUriQueryParam(paramValues[i]));
+                    paramValue = StringUtils.pack(paramValues[i]);
                     if (paramValue.contains(vn)) {
                         found = true;
                     }

thymeleaf-spring5/src/main/java/org/thymeleaf/spring5/util/SpringRequestUtils.java

@@ -52,7 +52,7 @@ public static void checkViewNameNotInRequest(final String viewName, final HttpSe
             while (!found && paramNames.hasMoreElements()) {
                 paramValues = request.getParameterValues(paramNames.nextElement());
                 for (int i = 0; !found && i < paramValues.length; i++) {
-                    paramValue = StringUtils.pack(UriEscape.unescapeUriQueryParam(paramValues[i]));
+                    paramValue = StringUtils.pack(paramValues[i]);
                     if (paramValue.contains(vn)) {
                         found = true;
                     }