We were double-encoding URIs, as the url and uri filters in
TT happily encode % - which is fine the first time around,
but after you've already escaped everything as %nn the propagator
was serving it back to url to be escaped again on the following
page request.
The right way to do this might be to unescape the incoming query
string, then pass it on to url for escaping again - but for now,
using the entity version of & is good enough to begin with.