Comment 2 for bug 322952

Thank you for taking the time to report this bug and helping to make Ubuntu better.

The url_encode calls were added in 3.0.2 to fix XSS security issues, however the implementation was buggy, as you saw.

It was later fixed in 3.0.4 by using a new "escape_string" function. We need to pull that one (from cgi/cgiutils.c) to properly fix this bug, together with all the CGIs modified to take advantage of it.

I am closing this bug because it has been fixed in the latest development version of Ubuntu - the Jaunty Jackalope.

If you need a fix for the bug for 8.10, please do steps 1 and 2 of the SRU Procedure [1] to bring the need to a developer's attention.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates#Procedure