diff --git a/mozilla/webtools/update/core/inc_global.php b/mozilla/webtools/update/core/inc_global.php
index 764f2090643..0f35931921d 100644
--- a/mozilla/webtools/update/core/inc_global.php
+++ b/mozilla/webtools/update/core/inc_global.php
@@ -221,4 +221,36 @@ function installtrigger($functionname) {
   }
 }
 
-?>
\ No newline at end of file
+/**
+   mozupd_buildDownloadlURL function
+   builds the URL for extensions/themes download
+   in the form /core/install.php/filename.$ext?passthrough=yes&uri=$uri
+   performing entities escaping as per W3C specification 
+   
+   @param string $uri the 'real' URI of the file
+   @param string $name file name
+   @param string $version file version
+   @param string $ext suggested file extension, including leading '.'
+   @param boolean $force should we force passed extension?
+   
+   @author: Giorgio Maone <g.maone at informaction dot com>
+   @version: 0.1
+*/
+function mozupd_buildDownloadURL($uri, $name, $version, 
+                                    $ext='.xpi', $force=FALSE) {
+                                      
+  if(preg_match('/.*\/(.*?)(\.[a-z]+)(\?|$)/i',$uri,$uri_parts) // uri parsing
+     && strcasecmp($autoext=$uri_parts[2],$ext)==0 // extension exact matching
+      || (!$force // autodetection for a set of reasonable download extensions
+          && preg_match('/^\.(jar|xpi|zip|exe|gz[\w]+|bz[\w+]|rpm)$/i',$autoext)
+       )
+  ) {
+    $filename=$uri_parts[1].$uri_parts[2];
+  } else { // fall back if $uri has not a recognized extension
+    $filename=preg_replace('/\W/','_',"$name $version").$ext;
+  }
+ 
+  return htmlspecialchars( // if we don't escape '&' and friends validator cries
+    "/core/install.php/$filename?passthrough=yes&uri=$uri");
+}
+?>
diff --git a/mozilla/webtools/update/extensions/moreinfo.php b/mozilla/webtools/update/extensions/moreinfo.php
index f22112065dc..1665ccd0d18 100644
--- a/mozilla/webtools/update/extensions/moreinfo.php
+++ b/mozilla/webtools/update/extensions/moreinfo.php
@@ -349,7 +349,8 @@ $sql = "SELECT TM.ID, TM.Name, TM.DateAdded, TM.DateUpdated, TM.Homepage, TM.Des
 		<div class="key-point install-box"><div class="install"><?php 
 
             if ($appname=="Thunderbird") { 
-                echo"<A HREF=\"/core/install.php?passthrough=yes&amp;uri=$uri\" onclick=\"return install(event,'$name $version for Thunderbird', '/images/default.png');\"  TITLE=\"Right-Click to Download $name $version\">";
+              $downloadURL=mozupd_buildDownloadURL($uri,$name,$version);
+              echo "<a href=\"$downloadURL\" onclick=\"return install(event,'$name $version for Thunderbird', '/images/default.png');\"  title=\"Right-Click to Download $name $version\">";
             } else {
                 echo"<b><a href=\"$uri\" onclick=\"return install(event,'$name $version', '/images/default.png');\" TITLE=\"Install $name $version (Right-Click to Download)\">";
             }
@@ -532,7 +533,8 @@ $sql = "SELECT TM.ID, TM.Name, TM.DateAdded, TM.DateUpdated, TM.Homepage, TM.Des
             echo"<DIV style=\"height: 34px\">";
             echo"<DIV class=\"iconbar\">";
             if ($appname=="Thunderbird") {
-                echo"<A HREF=\"/core/install.php?passthrough=yes&uri=$uri\" onclick=\"return install(event,'$name $version for Thunderbird', '/images/default.png');\">";
+              $downloadURL=mozupd_buildDownloadURL($uri,$name,$version);
+              echo "<a href=\"$downloadURL\" onclick=\"return install(event,'$name $version for Thunderbird', '/images/default.png');\">";
             } else {
                 echo"<a href=\"$uri\" onclick=\"return install(event,'$name $version', '/images/default.png');\">";
             }
diff --git a/mozilla/webtools/update/themes/moreinfo.php b/mozilla/webtools/update/themes/moreinfo.php
index 87c3fb528cb..de232a6a986 100644
--- a/mozilla/webtools/update/themes/moreinfo.php
+++ b/mozilla/webtools/update/themes/moreinfo.php
@@ -349,7 +349,8 @@ $sql = "SELECT TM.ID, TM.Name, TM.DateAdded, TM.DateUpdated, TM.Homepage, TM.Des
 		<div class="key-point install-box"><div class="install"><?php 
 
             if ($appname=="Thunderbird") { 
-                echo"<A HREF=\"/core/install.php?passthrough=yes&amp;uri=$uri\" onclick=\"return installTheme(event,'$name $version for Thunderbird');\"  TITLE=\"Right-Click to Download $name $version\">";
+              $downloadURL=mozupd_buildDownloadURL($uri,$name,$version);
+              echo"<a href=\"$downloadURL\" onclick=\"return installTheme(event,'$name $version for Thunderbird');\"  title=\"Right-Click to Download $name $version\">";
             } else {
                 echo"<b><a href=\"$uri\" onclick=\"return installTheme(event,'$name $version');\" TITLE=\"Install $name $version (Right-Click to Download)\">";
             }
@@ -532,7 +533,8 @@ $sql = "SELECT TM.ID, TM.Name, TM.DateAdded, TM.DateUpdated, TM.Homepage, TM.Des
             echo"<DIV style=\"height: 34px\">";
             echo"<DIV class=\"iconbar\">";
             if ($appname=="Thunderbird") {
-                echo"<A HREF=\"/core/install.php?passthrough=yes&uri=$uri\" onclick=\"return installTheme(event,'$name $version for Thunderbird');\">";
+              $downloadURL=mozupd_buildDownloadURL($uri,$name,$version);
+              echo "<a href=\"$downloadURL\" onclick=\"return installTheme(event,'$name $version for Thunderbird');\">";
             } else {
                 echo"<a href=\"$uri\" onclick=\"return installTheme(event,'$name $version');\">";
             }