Fix for XSS in session.use_trans_sid support: CAN-2003-0442.

--- php-4.2.2/ext/session/session.c.sessid
+++ php-4.2.2/ext/session/session.c
@@ -84,7 +84,9 @@
 static void php_session_output_handler(char *output, uint output_len, char **handled_output, uint *handled_output_len, int mode TSRMLS_DC)
 {
 	if ((PS(session_status) == php_session_active)) {
-		*handled_output = url_adapt_ext_ex(output, output_len, PS(session_name), PS(id), handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC);
+		char *encoded = php_url_encode(PS(id), strlen(PS(id)), NULL);
+		*handled_output = url_adapt_ext_ex(output, output_len, PS(session_name), encoded, handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC);
+		efree(encoded);
 	} else {
 		*handled_output = NULL;
 	}