Characters in the GET url path are not properly escaped and can be reflected in the server response.