urllib.parse.quote(path, safe='/?&=') was re-encoding % to %25 in already-encoded attack paths (XXE, XSS, traversal payloads). Replaced with a manual first-? split: path component encoded with safe='/%\' (preserving existing percent sequences and backslash traversal vectors), query string passed through untouched. Covers all 53 attack payloads across 7 simulation modes. Inline comments removed from XXE_PAYLOADS to match the style of all other payload lists. |
||
|---|---|---|
| .. | ||
| Dockerfile | ||
| app.py | ||
| compose.yml | ||
| nginx.conf | ||
| simulate.py | ||