It appears that when a hyperlink in Papercut is clicked, the URL decoding that is usually done on the remote server is also being done in the client, thereby potentially altering the URL being loaded.
Consider an email where a user must click a link to confirm their email address, and the security token contains plus signs (+) or other characters that have special meaning in a URL query:
The plus sign is safely encoded (
). This is the URL that gets loaded instead:
So when the remote server decodes the query string, it changes the meaning of
The same does not happen when the captured
file is opened in Outlook.