It appears that numerous Nuxeo xhtml files have script tags with a src attribute url that is not encoded. For example, see line 24 in nuxeo-user-activity-stream/src/main/resources/web/nuxeo.war/incl/includes.xhtml:
<script type="text/javascript" src="#{baseURL}js/?scripts=confirmAlerts.js|DragAndDrop.js|tableSelections.js|customSeamRemotingWaiter.js|custom-javascript.js|default-contextmenu-actions.js|custom-contextmenu-actions.js|tooltip.js"></script>
The url includes the vertical pipe/bar character '|' which is "unsafe" and should be encoded as %7C. Should I open a bug for this issue across the platform?
/Ron
