The fix for 0006869 / 0007034 (in cvs) removes quoted "?" from arguments with the lines

function string_sanitize_url( $p_url ) {

[...]

$t_url = strip_tags( urldecode( $p_url ) );

[...]

$t_param = str_replace( '?','', $t_param );

Is there some security reason for this? I have not found a code break in a release version, but it breaks my patch in 0005432. This produces urls like:

set_project.php?project_id=7&make_default=no&ref=bug_view_page.php%3Fbug_id%3D4230

after string_sanitize_url this is transformed to

set_project.php?project_id=7&make_default=no&ref=bug_view_page.phpbug_id%3D4230

Note that the "%3f" for ? has been removed and the new url is invalid.

If there is no security reason for it, I would suggest removing the "$t_param = str_replace( '?','', $t_param );" line.