Index: core/string_api.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/core/string_api.php,v
retrieving revision 1.92
diff -u -r1.92 string_api.php
--- core/string_api.php	8 Sep 2007 23:21:01 -0000	1.92
+++ core/string_api.php	23 Oct 2007 13:09:30 -0000
@@ -199,7 +199,6 @@
 	# --------------------
 	# validate the url as part of this site before continuing
 	function string_sanitize_url( $p_url ) {
-
 		$t_url = strip_tags( urldecode( $p_url ) );
 		if ( preg_match( '?http(s)*://?', $t_url ) > 0 ) { 
 			// no embedded addresses
@@ -217,13 +216,20 @@
 			list( $t_path, $t_param ) = split( '\?', $t_url, 2 );
 			if ( $t_param !== "" ) {
 				$t_vals = array();
-				parse_str( $t_param, $t_vals );
+				parse_str( html_entity_decode( $t_param ), $t_vals );
 				$t_param = '';
 				foreach($t_vals as $k => $v) {
 					if ($t_param != '') {
-						$t_param .= '&'; 
+						$t_param .= '&'; 
+					}
+					if ( is_array( $v ) ) {
+						for ( $i = 0, $size = sizeof( $v ); $i < $size; $i++ ) {
+							$t_param .= $k . urlencode('[]') . '=' . urlencode( strip_tags( urldecode( $v[$i] ) ) );
+							$t_param .= ( $i != $size - 1 ) ? '&amp;' : '';
+						}
+					} else {
+						$t_param .= "$k=" . urlencode( strip_tags( urldecode( $v ) ) );
 					}
-					$t_param .= "$k=" . urlencode( strip_tags( urldecode( $v ) ) );
 				}
 				return $t_path . '?' . $t_param;
 			} else {