Tidy breaks links with not-latin chars

Question

I use java library Tidy to sanitize html-code. Some of the code contains links with Russian letters. For example

<a href="http://example.com/Русский"&gt;link with Russian letters</a>

I understand that "Русский" must be escaped, but I get this html from users. And my job is to convert it to XHTML.

I think tidy tries to escape not-latin letters, but as a result I get

<a href="http://example.com/%420%443%441%441%43A%438%439"&gt;link with Russian letters</a>

This is not corect. Correct version is

<a href="http://example.com/%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9"&gt;link with Russian letters</a>

Java code is

private static Tidy getTidy() {
    if (null == tidy) {
      tidy = new Tidy();
      tidy.setQuiet(true);
      tidy.setShowErrors(0);
      tidy.setShowWarnings(false);
      tidy.setXHTML(true);
      tidy.setOutputEncoding("UTF-8");
    }
    return tidy;
}

public static String sanitizeHtml(String html, URI pageUri) {
    boolean escapeMedia = false;
    String ret = "";
    try {
      Document doc = getTidy().parseDOM(new StringReader("<body>" + html + "</body>"), null);

      // here I make some processing

      // string output
      ByteArrayOutputStream out = new ByteArrayOutputStream();
      Node node = doc.getElementsByTagName("body").item(0);
      getTidy().pprint(node, out);
      ret = out.toString().trim();
    }
    catch (Exception e) {
      ret = html;
      e.printStackTrace();
    }

    return ret;
}

Answer 1

It's a hard-coded behaviour and it's probably a bug. They use UTF-16 to escape non-ASCII characters in URLs when they should use UTF-8. See org/w3c/tidy/AttrCheckImpl.java.