Thank you for taking the time to report this bug and helping to make Ubuntu better.
The url_encode calls were added in 3.0.2 to fix XSS security issues, however the implementation was buggy, as you saw.
It was later fixed in 3.0.4 by using a new "escape_string" function. We need to pull that one (from cgi/cgiutils.c) to properly fix this bug, together with all the CGIs modified to take advantage of it.
I am closing this bug because it has been fixed in the latest development version of Ubuntu - the Jaunty Jackalope.
If you need a fix for the bug for 8.10, please do steps 1 and 2 of the SRU Procedure [1] to bring the need to a developer's attention.
Thank you for taking the time to report this bug and helping to make Ubuntu better.
The url_encode calls were added in 3.0.2 to fix XSS security issues, however the implementation was buggy, as you saw.
It was later fixed in 3.0.4 by using a new "escape_string" function. We need to pull that one (from cgi/cgiutils.c) to properly fix this bug, together with all the CGIs modified to take advantage of it.
I am closing this bug because it has been fixed in the latest development version of Ubuntu - the Jaunty Jackalope.
If you need a fix for the bug for 8.10, please do steps 1 and 2 of the SRU Procedure [1] to bring the need to a developer's attention.
[1]: https:/ /wiki.ubuntu. com/StableRelea seUpdates# Procedure