? files
? modules/taxonomy/.taxonomy.module.swp
? modules/taxonomy/.taxonomy.pages.inc.swp
? sites/drumm-laptop.head
? sites/all/modules
Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.708
diff -u -F^f -r1.708 common.inc
--- includes/common.inc	25 Oct 2007 15:38:24 -0000	1.708
+++ includes/common.inc	3 Nov 2007 22:30:28 -0000
@@ -207,7 +207,7 @@ function drupal_query_string_encode($que
   $params = array();
 
   foreach ($query as $key => $value) {
-    $key = drupal_urlencode($key);
+    $key = drupal_urlencode($key, TRUE);
     if ($parent) {
       $key = $parent .'['. $key .']';
     }
@@ -220,7 +220,7 @@ function drupal_query_string_encode($que
       $params[] = drupal_query_string_encode($value, $exclude, $key);
     }
     else {
-      $params[] = $key .'='. drupal_urlencode($value);
+      $params[] = $key .'='. drupal_urlencode($value, TRUE);
     }
   }
 
@@ -239,7 +239,7 @@ function drupal_query_string_encode($que
  */
 function drupal_get_destination() {
   if (isset($_REQUEST['destination'])) {
-    return 'destination='. urlencode($_REQUEST['destination']);
+    return 'destination='. drupal_urlencode($_REQUEST['destination'], TRUE);
   }
   else {
     // Use $_GET here to retrieve the original path in source form.
@@ -248,7 +248,7 @@ function drupal_get_destination() {
     if ($query != '') {
       $path .= '?'. $query;
     }
-    return 'destination='. urlencode($path);
+    return 'destination='. drupal_urlencode($path, TRUE);
   }
 }
 
@@ -1200,17 +1200,17 @@ function format_date($timestamp, $type =
  *   existing URL like "http://drupal.org/".
  * @param $options
  *   An associative array of additional options, with the following keys:
- *     'query'
- *       A query string to append to the link, or an array of query key/value
- *       properties.
- *     'fragment'
+ *     - 'query'
+ *       An associative array of query key/value properties or a query string
+ *       to append to the link. Query strings are not filtered for url injection.
+ *     - 'fragment'
  *       A fragment identifier (or named anchor) to append to the link.
  *       Do not include the '#' character.
- *     'absolute' (default FALSE)
+ *     - 'absolute' (default FALSE)
  *       Whether to force the output to be an absolute link (beginning with
  *       http:). Useful for links that will be displayed outside the site, such
  *       as in an RSS feed.
- *     'alias' (default FALSE)
+ *     - 'alias' (default FALSE)
  *       Whether the given path is an alias already.
  *     'external'
  *       Whether the given path is an external URL.
@@ -2243,12 +2243,13 @@ function drupal_json($var = NULL) {
  * Wrapper around urlencode() which avoids Apache quirks.
  *
  * Should be used when placing arbitrary data in an URL. Note that Drupal paths
- * are urlencoded() when passed through url() and do not require urlencoding()
- * of individual components.
+ * are encoded when passed through url() and do not require encoding of
+ * individual components.
  *
  * Notes:
  * - For esthetic reasons, we do not escape slashes. This also avoids a 'feature'
  *   in Apache where it 404s on any path containing '%2F'.
+ * In only the main path, not query string
  * - mod_rewrite unescapes %-encoded ampersands, hashes, and slashes when clean
  *   URLs are used, which are interpreted as delimiters by PHP. These
  *   characters are double escaped so PHP will still see the encoded version.
@@ -2257,9 +2258,11 @@ function drupal_json($var = NULL) {
  *
  * @param $text
  *   String to encode
+ * @param $query_string
+ *   TRUE if encoding for a query string, FALSE if encoding for the main URL.
  */
-function drupal_urlencode($text) {
-  if (variable_get('clean_url', '0')) {
+function drupal_urlencode($text, $query_string = FALSE) {
+  if (!$query_string && variable_get('clean_url', '0')) {
     return str_replace(array('%2F', '%26', '%23', '//'),
                        array('/', '%2526', '%2523', '/%252F'),
                        urlencode($text));
Index: modules/comment/comment.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/comment/comment.module,v
retrieving revision 1.597
diff -u -F^f -r1.597 comment.module
--- modules/comment/comment.module	31 Oct 2007 17:50:47 -0000	1.597
+++ modules/comment/comment.module	3 Nov 2007 22:30:29 -0000
@@ -1604,17 +1604,17 @@ function theme_comment_post_forbidden($n
   else {
     // we cannot use drupal_get_destination() because these links sometimes appear on /node and taxo listing pages
     if (variable_get('comment_form_location_'. $node->type, COMMENT_FORM_SEPARATE_PAGE) == COMMENT_FORM_SEPARATE_PAGE) {
-      $destination = "destination=". drupal_urlencode("comment/reply/$node->nid#comment-form");
+      $query['destination'] = 'comment/reply/'. $node->nid .'#comment-form';
     }
     else {
-      $destination = "destination=". drupal_urlencode("node/$node->nid#comment-form");
+      $query['destination'] = 'node/'. $node->nid .'#comment-form';
     }
 
     if (variable_get('user_register', 1)) {
-      return t('<a href="@login">Login</a> or <a href="@register">register</a> to post comments', array('@login' => url('user/login', array('query' => $destination)), '@register' => url('user/register', array('query' => $destination))));
+      return t('<a href="@login">Login</a> or <a href="@register">register</a> to post comments', array('@login' => url('user/login', array('query' => $query)), '@register' => url('user/register', array('query' => $query))));
     }
     else {
-      return t('<a href="@login">Login</a> to post comments', array('@login' => url('user/login', array('query' => $destination))));
+      return t('<a href="@login">Login</a> to post comments', array('@login' => url('user/login', array('query' => $query))));
     }
   }
 }
Index: modules/update/update.fetch.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/update/update.fetch.inc,v
retrieving revision 1.4
diff -u -F^f -r1.4 update.fetch.inc
--- modules/update/update.fetch.inc	20 Oct 2007 21:57:50 -0000	1.4
+++ modules/update/update.fetch.inc	3 Nov 2007 22:30:29 -0000
@@ -78,12 +78,13 @@ function _update_build_fetch_url($projec
   $url .= '/'. $name .'/'. DRUPAL_CORE_COMPATIBILITY;
   if (!empty($site_key)) {
     $url .= (strpos($url, '?') === TRUE) ? '&' : '?';
-    $url .= 'site_key=';
-    $url .= drupal_urlencode($site_key);
+    $query = array(
+      'site_key' => $site_key;
+    );
     if (!empty($project['info']['version'])) {
-      $url .= '&version=';
-      $url .= drupal_urlencode($project['info']['version']);
+      $query['version'] = $project['info']['version'];
     }
+    $url .= drupal_query_string_encode($query);
   }
   return $url;
 }
Index: docs/index.php
===================================================================
RCS file: /cvs/drupal-contrib/contributions/docs/developer/index.php,v
retrieving revision 1.17
diff -u -F^f -r1.17 index.php
--- docs/index.php	1 Oct 2007 07:39:29 -0000	1.17
+++ docs/index.php	3 Nov 2007 22:30:31 -0000
@@ -18,7 +18,7 @@
  *   - @link search Search system @endlink
  *   - @link node_access Node access system @endlink
  *   - @link themeable Theme system @endlink
- *   - @link constants Constants
+ *   - @link constants Constants @endlink
  * - Example modules
  *   - @link block_example.module How to define blocks @endlink
  *   - @link filter_example.module How to define a content filter @endlink