Jetty version(s)
12.0.18 (problem also exist in latest Jetty version)

Jetty Environment
Core

Java version/vendor (use: java -version)
JAVA 17

OS type/version
Linux

Description
public static char sanitizeFieldVchar(char c) will convert valid horizontal tab "\t" into "?" causing traffic failure.

As indicated in RFC 9110, a HTAB is a valid OWS (5.6.3 Whitespace) that is allowed in http header parameters (5.6.6 Parameters) and HTTP field values (5.5 Field Values). However, Jetty treats HTAB as an illegal control character.

public static boolean isIllegalFieldVchar(char c) { return (c >= 256 || c < ' '); }

For your reference:

5.6.6 Parameters
parameters = *( OWS ";" OWS [ parameter ] )
parameter = parameter-name "=" parameter-value
parameter-name = token
parameter-value = ( token / quoted-string )

5.6.3 Whitespace
OWS = *( SP / HTAB )
; optional whitespace

5.5 Field Values
field-value = field-content
field-content = field-vchar
[ 1( SP / HTAB / field-vchar ) field-vchar ]
field-vchar = VCHAR / obs-text
obs-text = %x80-FF

We also test the behavior of other popular web servers:

Jetty is the only one that handled this issue differently.

How to reproduce?
Send a http2 request with 'Content-Type: text/plain; \t\t\tcharset=UTF-8', each '\t' will be replaced by '?', as shown in