I have been performing some xss / javascript-injection / penetration-testing on my asp.net site recently and noticed that modern web-browser (ie latest FF and Chrome) are escaping the urls entered into the address bar.
So:
http://example.com/search/?q="><script>alert('hi');</script>
is sent to my server as:
http://example.com/search/?q=%22%3e%3cscript%3ealert(%27hi%27)%3b%3c%2fscript%3e
Is there a list of all (major) browsers that do this and those that do not? Do mobile browsers do this?
