[keycloak-dev] html encoded url in form actions - bug or feature?

Hi all, I just discovered that the action url of the login-form seems to get HTML encoded and I woundered, if thats a bug or a feature. In https://github.com/keycloak/keycloak/blob/4.1.0.Final/themes/src/main/res... you can see the following line: <form id="kc-form-login" onsubmit="login.disabled = true; return true;" action="${url.loginAction}" method="post"> On my instance, this resolves to something similar to this: <form id="kc-form-login" onsubmit="login.disabled = true; return true;" action=" https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/authenticate?se... method="post"> All "&" are encoded as &amp;. This became an issue for me, when I tried to call the url via JavaScripts fetch method. With the same URL, I got a sevrer error. When changing the URL to: fetch("${url.loginAction?no_esc}", ...) it finally worked. Shouldn't all form-urls and href-urls not be escacped? What makes me wonder is, that the same URL just works for regular post requests! For documentation on escaping you can find more information here: https://freemarker.apache.org/docs/dgui_quickstart_template.html#dgui_qui... Greetings, Felix -- Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland Registergericht: Amtsgericht Kiel, HRB 13257 Geschäftsführung: Felix Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner