Comment 3 for bug 577822

According to upstream, this is a deliberate limitation:

"This is the correct behavior, since we only block "%[0-9A-Fa-f]{2}" to not conflict with URL escaping sequences (includes/Title.php line 2420 in trunk)."