It is common practice to use the tag combo [[T1:[[S8]]]] for the NEXTURL parameter for the UserLogin servlet for logging in or out, telling the servlet where to send the web visitor after they are logged in/out. Professional Services uses this regularly.

The T1 tag escapes the value so it can be safely used as the NEXTURL parameter. S8 grabs the current URL and HTML escapes any characters, such as the ampersand - so "&" converts to "&". The problem occurs when you have an ampersand in the URL, and the [[T1:[[S8]]]] combo is used more than once (for example logging out and then logging back in, and the tag combo is used as the NEXTURL for both commands).

This didn't used to be a problem in the past when the [[S8]] tag did not HTML escape special characters. But now it does. I am proposing that the [[S8]] tag be provided a parameter to indicate whether or not to HTML escape special characters, such as [[S8:1]] for HTML escaping, and [[S8:0]] for no HTML escaping. This would allow the developer to decide which format works best for them.

As an example to demonstrate the current issue: ...
So the first time you log out, the [[T1:[[S8]]]] combo converts ampersands to "%26amp%3B". If you then immediately log back in, you get the URL with ampersands converted to "&" which is fine. But if you log out again, the NEXTURL in the logout link becomes "%26amp%3Bamp%3B" which is translated to "&" which causes whatever is past that point in the URL to be recognized as the wrong URL parameter name. For example, "&fr_id=XXXX" after two logouts becomes "&fr_id=XXXX" and so the URL parameter is recognized as "amp;fr_id" rather than "fr_id" so the TamRaiser ID is not recognized. 

As an interim solution, I use an E130 to remove the double escaping of ampersands in the NEXTURL parameter of the logout URL. For example, I am now using [[E130:"[[T1:[[S8]]]]" "%26amp%3Bamp%3B" "%26amp%3B" replaceall]].

I understand why the S8 tag HTML encodes characters, to provide valid HTML source code. But this poses a problem for the common use of [[T1:[[S8]]]] in the NEXTURL parameter for login and logout functionality, which is used both by clients and Blackbaud's internal Professional Services staff.