Percent-encode any byte that is illegal inside an RFC 7230 quoted-string before
it is interpolated into a WWW-Authenticate auth-param value. A double-quote
would close the quoted-string early (letting a client-controlled value such as a
reflected Host header append spurious auth-params), and CR/LF/control bytes have
no legal representation, so every such byte is rendered as %XX. This is
defence in depth: callers SHOULD also reject untrusted input upstream, but the
header builder must never emit a value that can break out of its quoted-string.
Percent-encode any byte that is illegal inside an RFC 7230 quoted-string before it is interpolated into a WWW-Authenticate auth-param value. A double-quote would close the quoted-string early (letting a client-controlled value such as a reflected Host header append spurious auth-params), and CR/LF/control bytes have no legal representation, so every such byte is rendered as %XX. This is defence in depth: callers SHOULD also reject untrusted input upstream, but the header builder must never emit a value that can break out of its quoted-string.