DefaultCasProtocolAttributeEncoder attribute name sanitizing logic is broken
CAS tries to escape attribute names in CAS protocol response if they contain ':' and '@' symbols.
In CAS 5.3 (I know it's unsupported) it uses HEX-encoding of such names. When I am trying to release some SAML standard attributes (e. g. urn:oid:126.96.36.199.4.1.59188.8.131.52.9) using CAS protocol I have the following attributes map in the response:
<! -- Skipped for clarity --> <cas:75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39>[hidden email]</cas:75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39>
<! -- Skipped for clarity --> </cas:attributes>
75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39 is not a valid XML tag name. XML tag name cannot start with a digit. Client libraries cannot even parse this XML!
I can see that this behavior has changed for some reason in master branch. Now it uses Base64 encoding for attribute names (same as for values). Which does not solve this problem (Base64 encoded string still can start with a digit) but makes it even worse (Base64 has / and = symbols which should not be present in a tag name)