Actually, I thought CGI stuff was escaped because it's basically
URL-like, and URLs are escaped so they are easy to read/print/etc.
Nothing to do with security.
> The QUERY_STRING may be empty and certainly does not need to be
> a "beast" if client data is dispatched with method POST -- the
> *recommended* way.
Well, you could certainly make the server decode the URL escapes instead
of the CGI script, but that doesn't mean having the CGI script do it is
somehow wrong.