--- CGI.pm.orig	2003-04-28 15:35:56.000000000 +0200
+++ CGI.pm	2003-07-21 20:32:45.000000000 +0200
@@ -1629,7 +1629,7 @@
     unless (defined $action) {
        $action = $self->url(-absolute=>1,-path=>1);
        if (length($ENV{QUERY_STRING})>0) {
-           $action .= "?$ENV{QUERY_STRING}";
+           $action .= '?' . $self->escapeHTML($ENV{QUERY_STRING},1);
        }
     }
     $action = qq(action="$action");