Currently rawurldecode called before splitting line by & (here):
private static function convertInitData(string $initData): array
{
$initDataArray = explode('&', rawurldecode($initData));
$needle = 'hash=';
$hash = '';But if user will add & to his first_name or last_name, this will cause additional wrong "entry" in $initDataArray and will fail validation.
Currently
rawurldecodecalled before splitting line by&(here):But if user will add
&to hisfirst_nameorlast_name, this will cause additional wrong "entry" in$initDataArrayand will fail validation.