diff --git a/src/parser/PhutilURI.php b/src/parser/PhutilURI.php
index d72c032..f9612fd 100644
--- a/src/parser/PhutilURI.php
+++ b/src/parser/PhutilURI.php
@@ -1,224 +1,224 @@
 <?php
 
 /**
  * Basic URI parser object.
  */
 final class PhutilURI extends Phobject {
 
   private $protocol;
   private $user;
   private $pass;
   private $domain;
   private $port;
   private $path;
   private $query = array();
   private $fragment;
 
   public function __construct($uri) {
     $uri = (string)$uri;
 
     $matches = null;
     if (preg_match('(^([^/:]*://[^/]*)(\\?.*)\z)', $uri, $matches)) {
       // If the URI is something like `idea://open?file=/path/to/file`, the
       // `parse_url()` function will parse `open?file=` as the host. This is
       // not the expected result. Break the URI into two pieces, stick a slash
       // in between them, parse that, then remove the path. See T6106.
 
       $parts = parse_url($matches[1].'/'.$matches[2]);
       unset($parts['path']);
     } else {
       $parts = parse_url($uri);
     }
 
     // The parse_url() call will accept URIs with leading whitespace, but many
     // other tools (like git) will not. See T4913 for a specific example. If
     // the input string has leading whitespace, fail the parse.
     if ($parts) {
       if (ltrim($uri) != $uri) {
         $parts = false;
       }
     }
 
 
     // NOTE: `parse_url()` is very liberal about host names; fail the parse if
     // the host looks like garbage.
     if ($parts) {
       $host = idx($parts, 'host', '');
       if (!preg_match('/^([a-zA-Z0-9\\.\\-]*)$/', $host)) {
         $parts = false;
       }
     }
 
     if (!$parts) {
       $parts = array();
     }
 
     // stringyness is to preserve API compatibility and
     // allow the tests to continue passing
     $this->protocol = idx($parts, 'scheme', '');
     $this->user     = rawurldecode(idx($parts, 'user', ''));
     $this->pass     = rawurldecode(idx($parts, 'pass', ''));
     $this->domain   = idx($parts, 'host', '');
     $this->port     = (string)idx($parts, 'port', '');
     $this->path     = idx($parts, 'path', '');
     $query = idx($parts, 'query');
     if ($query) {
       $this->query = id(new PhutilQueryStringParser())->parseQueryString(
         $query);
     }
     $this->fragment = idx($parts, 'fragment', '');
   }
 
   public function __toString() {
     $prefix = null;
     if ($this->protocol || $this->domain || $this->port) {
       $protocol = nonempty($this->protocol, 'http');
 
       $auth = '';
       if (strlen($this->user) && strlen($this->pass)) {
-        $auth = phutil_escape_uri($this->user).':'.
-                phutil_escape_uri($this->pass).'@';
+        $auth = rawurlencode($this->user).':'.
+                rawurlencode($this->pass).'@';
       } else if (strlen($this->user)) {
-        $auth = phutil_escape_uri($this->user).'@';
+        $auth = rawurlencode($this->user).'@';
       }
 
       $prefix = $protocol.'://'.$auth.$this->domain;
       if ($this->port) {
         $prefix .= ':'.$this->port;
       }
     }
 
     if ($this->query) {
       $query = '?'.http_build_query($this->query, '', '&');
     } else {
       $query = null;
     }
 
     if (strlen($this->getFragment())) {
       $fragment = '#'.$this->getFragment();
     } else {
       $fragment = null;
     }
 
 
     return $prefix.$this->getPath().$query.$fragment;
   }
 
   public function setQueryParam($key, $value) {
     if ($value === null) {
       unset($this->query[$key]);
     } else {
       $this->query[$key] = $value;
     }
     return $this;
   }
 
   public function setQueryParams(array $params) {
     $this->query = $params;
     return $this;
   }
 
   public function getQueryParams() {
     return $this->query;
   }
 
   public function setProtocol($protocol) {
     $this->protocol = $protocol;
     return $this;
   }
   public function getProtocol() {
     return $this->protocol;
   }
 
   public function setDomain($domain) {
     $this->domain = $domain;
     return $this;
   }
 
   public function getDomain() {
     return $this->domain;
   }
 
   public function setPort($port) {
     $this->port = $port;
     return $this;
   }
   public function getPort() {
     return $this->port;
   }
 
   public function getPortWithProtocolDefault() {
     static $default_ports = array(
       'http'  => '80',
       'https' => '443',
       'ssh'   => '22',
     );
 
     return nonempty(
       $this->getPort(),
       idx($default_ports, $this->getProtocol()),
       '');
   }
 
   public function setPath($path) {
     if ($this->domain && strlen($path) && $path[0] !== '/') {
       $path = '/'.$path;
     }
     $this->path = $path;
     return $this;
   }
 
   public function appendPath($path) {
     $first = strlen($path) ? $path[0] : null;
     $last  = strlen($this->path) ? $this->path[strlen($this->path) - 1] : null;
 
     if (!$this->path) {
       return $this->setPath($path);
     } else if ($first === '/' && $last === '/') {
       $path = substr($path, 1);
     } else if ($first !== '/' && $last !== '/') {
       $path = '/'.$path;
     }
 
     $this->path .= $path;
     return $this;
   }
 
   public function getPath() {
     return $this->path;
   }
 
   public function setFragment($fragment) {
     $this->fragment = $fragment;
     return $this;
   }
 
   public function getFragment() {
     return $this->fragment;
   }
 
   public function setUser($user) {
     $this->user = $user;
     return $this;
   }
 
   public function getUser() {
     return $this->user;
   }
 
   public function setPass($pass) {
     $this->pass = $pass;
     return $this;
   }
 
   public function getPass() {
     return $this->pass;
   }
 
   public function alter($key, $value) {
     $altered = clone $this;
     $altered->setQueryParam($key, $value);
     return $altered;
   }
 
 }
diff --git a/src/parser/__tests__/PhutilURITestCase.php b/src/parser/__tests__/PhutilURITestCase.php
index e835bfd..57b68f8 100644
--- a/src/parser/__tests__/PhutilURITestCase.php
+++ b/src/parser/__tests__/PhutilURITestCase.php
@@ -1,162 +1,167 @@
 <?php
 
 /**
  * Test cases for @{class:PhutilURI} parser.
  */
 final class PhutilURITestCase extends PhutilTestCase {
 
   public function testURIParsing() {
     $uri = new PhutilURI('http://user:pass@host:99/path/?query=value#fragment');
     $this->assertEqual('http', $uri->getProtocol(), pht('protocol'));
     $this->assertEqual('user', $uri->getUser(), pht('user'));
     $this->assertEqual('pass', $uri->getPass(), pht('password'));
     $this->assertEqual('host', $uri->getDomain(), pht('domain'));
     $this->assertEqual('99', $uri->getPort(), pht('port'));
 
     $this->assertEqual('/path/', $uri->getPath(), pht('path'));
     $this->assertEqual(
       array(
         'query' => 'value',
       ),
       $uri->getQueryParams(),
       'query params');
     $this->assertEqual('fragment', $uri->getFragment(), pht('fragment'));
     $this->assertEqual(
       'http://user:pass@host:99/path/?query=value#fragment',
       (string)$uri,
       'uri');
 
 
     $uri = new PhutilURI('ssh://git@example.com/example/example.git');
     $this->assertEqual('ssh', $uri->getProtocol(), pht('protocol'));
     $this->assertEqual('git', $uri->getUser(), pht('user'));
     $this->assertEqual('', $uri->getPass(), pht('password'));
     $this->assertEqual('example.com', $uri->getDomain(), pht('domain'));
     $this->assertEqual('', $uri->getPort(), 'port');
 
     $this->assertEqual('/example/example.git', $uri->getPath(), pht('path'));
     $this->assertEqual(
       array(),
       $uri->getQueryParams(),
       pht('query parameters'));
     $this->assertEqual('', $uri->getFragment(), pht('fragment'));
     $this->assertEqual(
       'ssh://git@example.com/example/example.git',
       (string)$uri,
       'uri');
 
 
     $uri = new PhutilURI('http://0@domain.com/');
     $this->assertEqual('0', $uri->getUser());
     $this->assertEqual('http://0@domain.com/', (string)$uri);
 
     $uri = new PhutilURI('http://0:0@domain.com/');
     $this->assertEqual('0', $uri->getUser());
     $this->assertEqual('0', $uri->getPass());
     $this->assertEqual('http://0:0@domain.com/', (string)$uri);
 
     $uri = new PhutilURI('http://%20:%20@domain.com/');
     $this->assertEqual(' ', $uri->getUser());
     $this->assertEqual(' ', $uri->getPass());
     $this->assertEqual('http://%20:%20@domain.com/', (string)$uri);
 
     $uri = new PhutilURI('http://%40:%40@domain.com/');
     $this->assertEqual('@', $uri->getUser());
     $this->assertEqual('@', $uri->getPass());
     $this->assertEqual('http://%40:%40@domain.com/', (string)$uri);
 
+    $uri = new PhutilURI('http://%2F:%2F@domain.com/');
+    $this->assertEqual('/', $uri->getUser());
+    $this->assertEqual('/', $uri->getPass());
+    $this->assertEqual('http://%2F:%2F@domain.com/', (string)$uri);
+
     // These tests are covering cases where cURL and parse_url() behavior
     // may differ in potentially dangerous ways. See T6755 for discussion.
 
     // In general, we defuse these attacks by emitting URIs which escape
     // special characters so that they are interpreted unambiguously by
     // cURL in the same way that parse_url() interpreted them.
 
     $uri = new PhutilURI('http://u:p@evil.com?@good.com');
     $this->assertEqual('u', $uri->getUser());
     $this->assertEqual('p', $uri->getPass());
     $this->assertEqual('evil.com', $uri->getDomain());
     $this->assertEqual('http://u:p@evil.com?%40good.com=', (string)$uri);
 
     $uri = new PhutilURI('http://good.com#u:p@evil.com/');
     $this->assertEqual('good.com#u', $uri->getUser());
     $this->assertEqual('p', $uri->getPass());
     $this->assertEqual('evil.com', $uri->getDomain());
     $this->assertEqual('http://good.com%23u:p@evil.com/', (string)$uri);
 
     $uri = new PhutilURI('http://good.com?u:p@evil.com/');
     $this->assertEqual('', $uri->getUser());
     $this->assertEqual('', $uri->getPass());
     $this->assertEqual('good.com', $uri->getDomain());
     $this->assertEqual('http://good.com?u%3Ap%40evil.com%2F=', (string)$uri);
 
   }
 
   public function testURIGeneration() {
     $uri = new PhutilURI('http://example.com');
     $uri->setPath('bar');
     $this->assertEqual('http://example.com/bar', $uri->__toString());
   }
 
   public function testStrictURIParsingOfHosts() {
     $uri = new PhutilURI('http://&amp;/');
     $this->assertEqual('', $uri->getDomain());
   }
 
   public function testStrictURIParsingOfLeadingWhitespace() {
     $uri = new PhutilURI(' http://example.com/');
     $this->assertEqual('', $uri->getDomain());
   }
 
   public function testAppendPath() {
     $uri = new PhutilURI('http://example.com');
     $uri->appendPath('foo');
     $this->assertEqual('http://example.com/foo', $uri->__toString());
     $uri->appendPath('bar');
     $this->assertEqual('http://example.com/foo/bar', $uri->__toString());
 
     $uri = new PhutilURI('http://example.com');
     $uri->appendPath('/foo/');
     $this->assertEqual('http://example.com/foo/', $uri->__toString());
     $uri->appendPath('/bar/');
     $this->assertEqual('http://example.com/foo/bar/', $uri->__toString());
 
     $uri = new PhutilURI('http://example.com');
     $uri->appendPath('foo');
     $this->assertEqual('http://example.com/foo', $uri->__toString());
     $uri->appendPath('/bar/');
     $this->assertEqual('http://example.com/foo/bar/', $uri->__toString());
   }
 
   public function testUnusualURIs() {
     $uri = new PhutilURI('file:///path/to/file');
     $this->assertEqual('file', $uri->getProtocol(), pht('protocol'));
     $this->assertEqual('', $uri->getDomain(), pht('domain'));
     $this->assertEqual('/path/to/file', $uri->getPath(), pht('path'));
 
     $uri = new PhutilURI('idea://open?x=/');
     $this->assertEqual('idea', $uri->getProtocol(), pht('protocol'));
     $this->assertEqual('open', $uri->getDomain(), pht('domain'));
     $this->assertEqual('', $uri->getPath(), pht('path'));
     $this->assertEqual(
       array(
         'x' => '/',
       ),
       $uri->getQueryParams());
   }
 
   public function testDefaultPorts() {
     $uri = new PhutilURI('http://www.example.com');
     $this->assertEqual('80', $uri->getPortWithProtocolDefault());
 
     $uri = new PhutilURI('https://www.example.com');
     $this->assertEqual('443', $uri->getPortWithProtocolDefault());
 
     $uri = new PhutilURI('ssh://git@example.com/example/example.git');
     $this->assertEqual('22', $uri->getPortWithProtocolDefault());
 
     $uri = new PhutilURI('unknown://www.example.com');
     $this->assertEqual('', $uri->getPortWithProtocolDefault());
   }
 
 }