Broken Link when using semicolon in the URL in Resin application server

We use Resin 4.0.48 application server and his implementation of Servlet API make Spring Hateoas ( 0.23.0) Links broken. Here an example
We've got bellow controller, which builds Link to himself.

@RestController
public class SemicolonBreakableController {
    @RequestMapping(path = "/blabla/9999/sort/{sortKey}", method = RequestMethod.GET)
    @ResponseBody
    public Link blablaFragment(@PathVariable("sortKey") String sortKey) {
        ControllerLinkBuilder linkBuilder = linkTo(
                methodOn(SemicolonBreakableController.class).blablaFragment("default"));
        return linkBuilder.withSelfRel();
    }
}

Now we've got following request with kinda HTML atack: http://localhost:8080/blabla/9999/sort/'style='font-size:100pxbackground:%23ccc'onmouseover=alert`xss`>XSS!<x

Actually we want that we get bellow JSON, because we set always sortKey to "default"

{"rel":"self","href":"http://localhost:8080/blabla/9999/sort/default"}

But we get something like this:

{"rel":"self","href":"http://localhost:8080/blabla/9999/sort/'style='font-size:100px;background:#ccc'onmouseover=alert`xss`>XSS!<x/blabla/9999/start/0/sort/default"}

So the part /blabla/9999/sort/ is somehow twice.

I think the problem is in the method UrlPathHelper.getPathWithinServletMapping, where you get

String pathWithinApp = getPathWithinApplication(request);
String servletPath = getServletPath(request);

during the debugging I saw the value of these variables were:

pathWithinApp = "/blabla/9999/sort/'style='font-size:100px"
servletPath = "/blabla/9999/sort/'style='font-size:100px;background:#ccc'onmouseover=alert`xss`>;XSS!<x"

[gregturn]

So far, I just keep getting:

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
	at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:471) ~[tomcat-embed-core-8.5.11.jar:8.5.11]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667) ~[tomcat-embed-core-8.5.11.jar:8.5.11]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.11.jar:8.5.11]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) [tomcat-embed-core-8.5.11.jar:8.5.11]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434) [tomcat-embed-core-8.5.11.jar:8.5.11]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.11.jar:8.5.11]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_121]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_121]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.11.jar:8.5.11]
	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_121]

It may be because I'm having a hard time coming up with the curl command to encode this injected path variable.

Did you try it with the Resin? With Tomcat (also embedded) there is no problem with it.

[gregturn]

@RT-I No. Can you provide link to easiest means to leverage Resin? HINT: A Spring Boot app that uses embedded Resin would be of maximum benefit.