Canonicalize() breaks in 3.0.0.13-RC, default since Lucee 7.0.2.41

Leftbower · February 25, 2026, 1:15am

This SNAPSHOT includes the OWASP (Guard) extension 3.0.0.13-RC.
Previously, if you used canonicalize() on a string that contained values separated by tabs, carriage returns, or new lines, those were preserved. Since this new version, all of those delimeters are removed. Only spaces as a delimiter seem to survive.

v2.6.0.1:
7.0.1.100

v3.0.0.13-RC:
7.0.2.41

A related issue is that it doesn’t seem possible to cleanly downgrade from the v3 back to the v2 (or perhaps I didn’t try hard enough )… so have had to pin the v2 in the .env and clean install.

Zackster · February 25, 2026, 4:43am

Can you file a ticket about canonicalize()?

The new behaviour seems more “consistent” with the description, but of course backwards compatibility is critical

I thought we resolved the downgrade issues shortly before the first 7.0.2 RC

But Lucee does enforce via it’s manifest the minimum version of an extension allowed, for guaranteed compatibility

Leftbower · February 25, 2026, 6:30pm

Filed LDEV-6125