diff --git a/inc/common.php b/inc/common.php
index 5d6287ada9af05201e4c209beb9a18f8cae5f949..0fdeec63be8a485bf2e763c900cb94b24d7556ae 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -285,9 +285,9 @@ function ml($id='',$more='',$direct=true){
     $xlink .= 'lib/exe/fetch.php';
     if($more){
       $xlink .= '?'.$more;
-      $xlink .= '&media='.$id;
+      $xlink .= '&media='.urlencode($id);
     }else{
-      $xlink .= '?media='.$id;
+      $xlink .= '?media='.urlencode($id);
     }
     return $xlink;
   } 
diff --git a/inc/pageutils.php b/inc/pageutils.php
index d81d22a586fc3ff21169806c6c280bcb92039118..e22dc3c866b1e5e6a6d7b5bbfe7ebbf246837517 100644
--- a/inc/pageutils.php
+++ b/inc/pageutils.php
@@ -13,14 +13,18 @@
  * Uses either standard $_REQUEST variable or extracts it from
  * the full request URI when userewrite is set to 2
  *
- * Returns $conf['start'] if no id was found and $param is 'id'
+ * For $param='id' $conf['start'] is returned if no id was found
+ * and the returned ID will be cleaned. For other params the
+ * cleaning has to be done outside this function
  * 
  * @author Andreas Gohr <andi@splitbrain.org>
  */
 function getID($param='id'){
   global $conf;
 
-  $id = cleanID($_REQUEST[$param]);
+  $id = $_REQUEST[$param];
+
+  if($param == 'id') $id = cleanID($id);
   
   //construct page id from request URI
   if(empty($id) && $conf['userewrite'] == 2){