In certain conditions, the BadCSSChars parameter can't be initialized correctly, and the Web Agent will not block the characters listed.

This applies to all BadFormChars, BadQueryChars, BadUrlChars ACO parameters too.

One instance had somehow a strange character entered in the ACO parameter which caused the issue.

In one particular case, upon exporting the Policy Store data and comparing working vs. not working ACO settings, somehow the following characters were in BadCSSChars:

%E2%80%99

that is printed as ’

This is the UTF8 representation of a strange single quote character (1).

The Web Agent can't handle this, and as a result doesn't correctly perform checking on BadCSSChars.

Redoing the ACO manually to make sure a proper regular single quote ' character was in place, rather than this strange unusable single quote representation ’ resolved the issue and the characters listed on the ACO began being properly blocked.

1. UTF-8 Encoding Debugging Chart