Indeed the issue comes from the ESAPI lib, when we use GET style URL parameters in screens/forms links instead of POST style as Nicolas fixed 3 cases.
I made a review, we have 51 `target*&` occurences OOTB
- The <form ... target > links are not concerned (see edit budget item for instance)
- Nor the <hyperlink target> links (see systems notes for instance)
- Nor <hyperlink target> links (see ListProductStoreFacility, but not in trunk due to
- Nor <on-event-update-area area-target> links (see ListProductStoreFacility EditProductStoreFacility)
So it seems only the <link target> links are concerned and moreover hopefully maybe only in menus. We have no longer any of them OOTB. So at least OFBiz is ok .
I will close this issue, this can no lnoger appear in new and custom code, because the new ESAPI implemtation now throws a
org.ofbiz.base.util.UtilCodec$IntrusionException: Input validation failure
in such cases (jus try to revert r1637716 in trunk)