Some content is not sanitized when using Actuator (with /configprops or /env)
For example I have spring.datasource.url variable (where the password is showed in plain text by using /configprops):
jdbc:postgresql://ec2-54-78-36-245.eu-west-1.compute.amazonaws.com:5432/dcth5in25p94u?password=...d1cdc907257384f10151e...&sslmode=require&user=rlgzrpvivtoifo
This value is "generated" by Heroku through an environment variable.
I think query params should be sanitized as well (a bit like it is already done through sanitizeUri function)
Comment From: philwebb
We've discovered that there's a lot a different formats the URLs can take and still be valid which makes them quite hard to partially sanitize. We've decided to rework things in Spring Boot 3.0 and hide all values by default. For query parameter sanitization, we're going to suggest that users develop their own SanitizingFunction when they know their URLs conform to a specific pattern.