From 657b3947618ed82668d69dabe38c5bfdd3cda8f7 Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Thu, 1 Jul 2004 12:59:09 +0000
Subject: [PATCH] Conducting a conversation by means of comments

---
 includes/Title.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/includes/Title.php b/includes/Title.php
index 35ae3e8391..87d7e96674 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -188,8 +188,16 @@ class Title {
 		# Missing characters:
 		#  * []|# Needed for link syntax
 		#  * % and + are corrupted by Apache when they appear in the path
-		#  * % seems to work though
-		# 
+		#
+		# % seems to work though
+		#
+		# The problem with % is that URLs are double-unescaped: once by Apache's 
+		# path conversion code, and again by PHP. So %253F, for example, becomes "?".
+		# Our code does not double-escape to compensate for this, indeed double escaping
+		# would break if the double-escaped title was passed in the query string
+		# rather than the path. This is a minor security issue because articles can be
+		# created such that they are hard to view or edit. -- TS
+		#
 		# Theoretically 0x80-0x9F of ISO 8859-1 should be disallowed, but
 		# this breaks interlanguage links
 		
-- 
2.20.1