Para, I'm not sure what you mean. A hex code is a percent sign, followed by some 2 digit hexidecimal number. For example, %20 corresponds to a space, and %3F corresponds to a question mark. These hex codes are used to sanitize user input, and to assist in passing variables in a URL.
Here is a good example of the problem at hand. phpBB uses hex code to encode it's URLs properly. So if you go to Search, and search for "search*", that string is actually "search%2A", because %2A is the asterisk. Now, here is a page URL that results from that search: http://coranto.org/forum/viewtopic.php? ... =search%2A
Now what coranto will do, is change %2A in to * . Technically, if you use http://coranto.org/forum/viewtopic.php? ... ht=search*
then it actually still works.
However, here is where the problem compounds. Let's say I wanted to pass that URL, within a URL, as I am doing. You know, something like domain.com?referrer=http://coranto.org/forum/viewtopic.php?t=5887&highlight=search%2A . Well, there are several problems. As soon as the ampersand is read, "highlight" is going to be considered as another variable, and not actually part of the URL. So we have to change ampersand to the appropriate hex code. But what I am saying is that as soon as you replace & with %26, coranto changes it right back to & when you edit or submit the news.
I'm not sure what you meant by using %xx26. No browser or PHP method will be able to recognize what that actually is. What did you mean by that?