This project has moved and is read-only. For the latest updates, please go here.

Hyperlink URL is decoded twice


It appears that when a hyperlink in Papercut is clicked, the URL decoding that is usually done on the remote server is also being done in the client, thereby potentially altering the URL being loaded.

Consider an email where a user must click a link to confirm their email address, and the security token contains plus signs (+) or other characters that have special meaning in a URL query:
The plus sign is safely encoded (%2B). This is the URL that gets loaded instead:
So when the remote server decodes the query string, it changes the meaning of token from:
The same does not happen when the captured .eml file is opened in Outlook.


sweeperq wrote Jan 15, 2016 at 4:04 AM

I encountered the exact same issue while testing Identity password reset. The password reset always failed when clicking on the link from Papercut because of the URL decoding when clicking on the link.

At first I thought it was Microsoft Edge, but when I set up Chrome as my default browser it exhibited the exact same behavior.

I have to right-click, click Copy shortcut, then paste it into the browser window in order to get it to work.

Jaben wrote Feb 2, 2016 at 2:41 AM

Fixed in latest.

Kiefer27 wrote Jun 20, 2016 at 3:31 PM

Also ran into this problem, downloaded new version dated 2/1/2016 and now it works. Thanks!