2 files changed, 9 insertions, 7 deletions

diff --git a/includes/common.inc b/includes/common.inc
index 4b41373fe..98b654316 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -2149,17 +2149,19 @@ function drupal_json($var = NULL) {
  * Notes:
  * - For esthetic reasons, we do not escape slashes. This also avoids a 'feature'
  *   in Apache where it 404s on any path containing '%2F'.
- * - mod_rewrite's unescapes %-encoded ampersands and hashes when clean URLs
- *   are used, which are interpreted as delimiters by PHP. These characters are
- *   double escaped so PHP will still see the encoded version.
+ * - mod_rewrite unescapes %-encoded ampersands, hashes, and slashes when clean
+ *   URLs are used, which are interpreted as delimiters by PHP. These
+ *   characters are double escaped so PHP will still see the encoded version.
+ * - With clean URLs, Apache changes '//' to '/', so every second slash is
+ *   double escaped.
  *
  * @param $text
  *   String to encode
  */
 function drupal_urlencode($text) {
   if (variable_get('clean_url', '0')) {
-    return str_replace(array('%2F', '%26', '%23'),
-                       array('/', '%2526', '%2523'),
+    return str_replace(array('%2F', '%26', '%23', '//'),
+                       array('/', '%2526', '%2523', '/%252F'),
                        urlencode($text));
   }
   else {
diff --git a/misc/drupal.js b/misc/drupal.js
index 0c155f7d6..c2e862435 100644
--- a/misc/drupal.js
+++ b/misc/drupal.js
@@ -369,8 +369,8 @@ Drupal.unfreezeHeight = function () {
  */
 Drupal.encodeURIComponent = function (item, uri) {
   uri = uri || location.href;
-  item = encodeURIComponent(item).replace('%2F', '/');
-  return uri.indexOf('?q=') ? item : item.replace('%26', '%2526').replace('%23', '%2523');
+  item = encodeURIComponent(item).replace(/%2F/g, '/');
+  return (uri.indexOf('?q=') != -1) ? item : item.replace(/%26/g, '%2526').replace(/%23/g, '%2523').replace(/\/\//g, '/%252F');
 };
 
 /**