Substitution Char Blocked by WAF

I originally thought this was a bug w/ signup and I'm surprised I am the first person to mention this...

After installing, I tried to alter the default confirmation & reminder email messages. I kept getting a '400 Bad Request' from apache. It took me a few days (mostly due to bigger priorities) to figure what out what was the cause. By chance today, I tried just updating the 'send signups to' email address instead of both it and the messages. Surprisingly it post'ed w/o any problems.

After looking at my logs I came across this:

Message: Access denied with code 400 (phase 2). Pattern match "\\%(?!$|\\W|[0
-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:signup_confirmation_email. [id "950107
"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]
Action: Intercepted (phase 2)
Stopwatch: 1198233185604049 25222 (1312* 24542 -)
Producer: ModSecurity v2.1.2 (Apache 2.x)
Server: Apache

It seems like my WAF didn't like signup's % as a substitute string identifier since it's also used to encode urls. I tested it by using the same email message that produced this error except replacing the %'s with drupal's usual identifier ! (yes, I know signup won't substitute !'s, its just a test) and it post'ed w/o any problems.

If I went through signup.module and did a simple find/replace on {%event, %time, %username, %useremail, %info} and changed them to {, , , , } would that solve this problem for me, i.e. is this the only consideration I need to take?

Right now I have zero signup enabled nodes and zero signed-up users, I'm not sure if I did would that matter.

I am only two weeks into my first drupal installation so feedback on this is appreciated.

Thank you.