diff --git a/src/api/app/helpers/maintenance_helper.rb b/src/api/app/helpers/maintenance_helper.rb
index c6015cb9850c..07ac4759c744 100644
--- a/src/api/app/helpers/maintenance_helper.rb
+++ b/src/api/app/helpers/maintenance_helper.rb
@@ -97,7 +97,7 @@ def release_package_relink(link, action, target_package_name, target_project, tp
     link.remove_attribute('project') # its a local link, project name not needed
     link['package'] = link['package'].gsub(/\..*/, '') + target_package_name.gsub(/.*\./, '.') # adapt link target with suffix
     link_xml = link.to_xml
-    Backend::Connection.put "/source/#{URI.escape(target_project.name)}/#{URI.escape(target_package_name)}/_link?rev=repository&user=#{CGI.escape(User.session!.login)}", link_xml
+    Backend::Connection.put "/source/#{CGI.escape(target_project.name)}/#{CGI.escape(target_package_name)}/_link?rev=repository&user=#{CGI.escape(User.session!.login)}", link_xml
 
     md5 = Digest::MD5.hexdigest(link_xml)
     # commit with noservice parameter
@@ -108,7 +108,7 @@ def release_package_relink(link, action, target_package_name, target_project, tp
       comment: "Set local link to #{target_package_name} via maintenance_release request"
     }
     upload_params[:requestid] = action.bs_request.number if action
-    upload_path = "/source/#{URI.escape(target_project.name)}/#{URI.escape(target_package_name)}"
+    upload_path = "/source/#{CGI.escape(target_project.name)}/#{CGI.escape(target_package_name)}"
     upload_path << Backend::Connection.build_query_from_hash(upload_params, [:user, :comment, :cmd, :noservice, :requestid])
     answer = Backend::Connection.post upload_path, "<directory> <entry name=\"_link\" md5=\"#{md5}\" /> </directory>"
     tpkg.sources_changed(dir_xml: answer)
@@ -131,7 +131,7 @@ def release_package_create_main_package(request, source_package, target_package_
       rev: 'repository',
       comment: "Set link to #{target_package_name} via maintenance_release request"
     }
-    upload_path = "/source/#{URI.escape(target_project.name)}/#{URI.escape(base_package_name)}/_link"
+    upload_path = "/source/#{CGI.escape(target_project.name)}/#{CGI.escape(base_package_name)}/_link"
     upload_path << Backend::Connection.build_query_from_hash(upload_params, [:user, :rev])
     link = "<link package='#{target_package_name}' cicount='copy' />\n"
     md5 = Digest::MD5.hexdigest(link)
@@ -140,7 +140,7 @@ def release_package_create_main_package(request, source_package, target_package_
     upload_params[:cmd] = 'commitfilelist'
     upload_params[:noservice] = '1'
     upload_params[:requestid] = request.number if request
-    upload_path = "/source/#{URI.escape(target_project.name)}/#{URI.escape(base_package_name)}"
+    upload_path = "/source/#{CGI.escape(target_project.name)}/#{CGI.escape(base_package_name)}"
     upload_path << Backend::Connection.build_query_from_hash(upload_params, [:user, :comment, :cmd, :noservice, :requestid])
     answer = Backend::Connection.post upload_path, "<directory> <entry name=\"_link\" md5=\"#{md5}\" /> </directory>"
     lpkg.sources_changed(dir_xml: answer)
@@ -232,7 +232,7 @@ def copy_single_binary(arch, target_repository, source_project_name, source_pack
     cp_params[:setupdateinfoid] = update_info_id if update_info_id
     cp_params[:setrelease] = setrelease if setrelease
     cp_params[:multibuild] = '1' unless source_package_name.include?(':')
-    cp_path = "/build/#{CGI.escape(target_repository.project.name)}/#{URI.escape(target_repository.name)}/#{URI.escape(arch.name)}/#{URI.escape(target_package_name)}"
+    cp_path = "/build/#{CGI.escape(target_repository.project.name)}/#{CGI.escape(target_repository.name)}/#{CGI.escape(arch.name)}/#{CGI.escape(target_package_name)}"
 
     cp_path << Backend::Connection.build_query_from_hash(cp_params, [:cmd, :oproject, :opackage,
                                                                      :orepository, :setupdateinfoid,
diff --git a/src/api/app/helpers/webui/webui_helper.rb b/src/api/app/helpers/webui/webui_helper.rb
index cf1925203ae6..a9028018f29a 100644
--- a/src/api/app/helpers/webui/webui_helper.rb
+++ b/src/api/app/helpers/webui/webui_helper.rb
@@ -13,10 +13,8 @@ def bugzilla_url(email_list = '', desc = '')
       cc = ('&cc=' + email_list[1..-1].join('&cc=')) if email_list
     end
 
-    URI.escape(
-      "#{@configuration['bugzilla_url']}/enter_bug.cgi?classification=7340&product=openSUSE.org" \
-      "&component=3rd party software&assigned_to=#{assignee}#{cc}&short_desc=#{desc}"
-    )
+    return "#{@configuration['bugzilla_url']}/enter_bug.cgi?classification=7340&product=openSUSE.org" \
+      "&component=3rd%20party%20software&assigned_to=#{CGI.escape(assignee.to_s)}#{CGI.escape(cc.to_s)}&short_desc=#{CGI.escape(desc.to_s)}"
   end
 
   def fuzzy_time(time, with_fulltime = true)
diff --git a/src/api/app/models/package.rb b/src/api/app/models/package.rb
index 41c72d9ca68f..e14707fcb3ff 100644
--- a/src/api/app/models/package.rb
+++ b/src/api/app/models/package.rb
@@ -428,8 +428,8 @@ def sources_changed(opts = {})
   end
 
   def self.source_path(project, package, file = nil, opts = {})
-    path = "/source/#{URI.escape(project)}/#{URI.escape(package)}"
-    path += "/#{URI.escape(file)}" if file.present?
+    path = "/source/#{CGI.escape(project)}/#{CGI.escape(package)}"
+    path += "/#{CGI.escape(file)}" if file.present?
     path += '?' + opts.to_query if opts.present?
     path
   end
@@ -1324,7 +1324,7 @@ def backend_build_command(command, build_project, params)
       permitted_params = params.permit(:repository, :arch, :package, :code, :wipe)
 
       # do not use project.name because we missuse the package source container for build container operations
-      Backend::Connection.post("/build/#{URI.escape(build_project)}?cmd=#{command}&#{permitted_params.to_h.to_query}")
+      Backend::Connection.post("/build/#{CGI.escape(build_project)}?cmd=#{command}&#{permitted_params.to_h.to_query}")
     rescue Backend::Error, Timeout::Error, Project::WritePermissionError => e
       errors.add(:base, e.message)
       return false
diff --git a/src/api/app/models/project.rb b/src/api/app/models/project.rb
index b8209fcf0d6c..b33ad2506b09 100644
--- a/src/api/app/models/project.rb
+++ b/src/api/app/models/project.rb
@@ -309,8 +309,8 @@ def parent_projects(project_name)
     end
 
     def source_path(project, file = nil, opts = {})
-      path = "/source/#{URI.escape(project)}"
-      path += "/#{URI.escape(file)}" if file.present?
+      path = "/source/#{CGI.escape(project)}"
+      path += "/#{CGI.escape(file)}" if file.present?
       path += '?' + opts.to_query if opts.present?
       path
     end
diff --git a/src/api/spec/factories/packages.rb b/src/api/spec/factories/packages.rb
index 6ab4c68f9950..3a9a725e5ffc 100644
--- a/src/api/spec/factories/packages.rb
+++ b/src/api/spec/factories/packages.rb
@@ -108,7 +108,7 @@
       after(:create) do |package|
         # NOTE: Enable global write through when writing new VCR cassetes.
         # ensure the backend knows the project
-        Backend::Connection.put("/source/#{URI.escape(package.project.name)}/#{URI.escape(package.name)}/_service", '<services/>') if CONFIG['global_write_through']
+        Backend::Connection.put("/source/#{CGI.escape(package.project.name)}/#{CGI.escape(package.name)}/_service", '<services/>') if CONFIG['global_write_through']
       end
     end
 
@@ -116,7 +116,7 @@
       after(:create) do |package|
         # NOTE: Enable global write through when writing new VCR cassetes.
         # ensure the backend knows the project
-        Backend::Connection.put("/source/#{URI.escape(package.project.name)}/#{URI.escape(package.name)}/_service", '<service>broken</service>') if CONFIG['global_write_through']
+        Backend::Connection.put("/source/#{CGI.escape(package.project.name)}/#{CGI.escape(package.name)}/_service", '<service>broken</service>') if CONFIG['global_write_through']
       end
     end
 
@@ -131,7 +131,7 @@
         # ensure the backend knows the project
         if CONFIG['global_write_through']
           full_path = "/source/#{package.project.name}/#{package.name}/#{evaluator.changes_file_name}"
-          Backend::Connection.put(URI.escape(full_path), evaluator.changes_file_content)
+          Backend::Connection.put(CGI.escape(full_path), evaluator.changes_file_content)
         end
       end
     end
@@ -160,7 +160,7 @@
         # ensure the backend knows the project
         if CONFIG['global_write_through']
           full_path = "/source/#{package.project.name}/#{package.name}/#{evaluator.kiwi_file_name}"
-          Backend::Connection.put(URI.escape(full_path), evaluator.kiwi_file_content)
+          Backend::Connection.put(CGI.escape(full_path), evaluator.kiwi_file_content)
         end
       end
     end
diff --git a/src/api/spec/helpers/webui/webui_helper_spec.rb b/src/api/spec/helpers/webui/webui_helper_spec.rb
index cf9813d02163..e00f275ddc6d 100644
--- a/src/api/spec/helpers/webui/webui_helper_spec.rb
+++ b/src/api/spec/helpers/webui/webui_helper_spec.rb
@@ -84,7 +84,7 @@
     it 'adds an assignee and description if parameters where given' do
       expected_attributes = @expected_attributes.clone
       expected_attributes[:short_desc] = 'some_description'
-      expected_attributes[:assigned_to] = 'assignee@example.org'
+      expected_attributes[:assigned_to] = 'assignee%40example.org'
 
       expected_url = 'https://bugzilla.example.org/enter_bug.cgi?' +
                      expected_attributes.map { |key, value| "#{key}=#{value}" }.join('&')
diff --git a/src/api/spec/models/package_spec.rb b/src/api/spec/models/package_spec.rb
index b46a3468ca6c..821c9df614eb 100644
--- a/src/api/spec/models/package_spec.rb
+++ b/src/api/spec/models/package_spec.rb
@@ -319,17 +319,17 @@
   end
 
   describe '#source_path' do
-    it { expect(package_with_file.source_path).to eq('/source/home:tom/package_with_files') }
-    it { expect(package_with_file.source_path('icon')).to eq('/source/home:tom/package_with_files/icon') }
-    it { expect(package_with_file.source_path('icon', format: :html)).to eq('/source/home:tom/package_with_files/icon?format=html') }
+    it { expect(package_with_file.source_path).to eq('/source/home%3Atom/package_with_files') }
+    it { expect(package_with_file.source_path('icon')).to eq('/source/home%3Atom/package_with_files/icon') }
+    it { expect(package_with_file.source_path('icon', format: :html)).to eq('/source/home%3Atom/package_with_files/icon?format=html') }
   end
 
   describe '#public_source_path' do
-    it { expect(package_with_file.public_source_path).to eq('/public/source/home:tom/package_with_files') }
-    it { expect(package_with_file.public_source_path('icon')).to eq('/public/source/home:tom/package_with_files/icon') }
+    it { expect(package_with_file.public_source_path).to eq('/public/source/home%3Atom/package_with_files') }
+    it { expect(package_with_file.public_source_path('icon')).to eq('/public/source/home%3Atom/package_with_files/icon') }
 
     it 'adds the format parameter to the url that was given to the method' do
-      expect(package_with_file.public_source_path('icon', format: :html)).to eq('/public/source/home:tom/package_with_files/icon?format=html')
+      expect(package_with_file.public_source_path('icon', format: :html)).to eq('/public/source/home%3Atom/package_with_files/icon?format=html')
     end
   end
 
@@ -652,7 +652,7 @@
       before do
         if CONFIG['global_write_through']
           full_path = "/source/#{package.project.name}/#{package.name}/lorem.changes"
-          Backend::Connection.put(URI.escape(full_path), 'Lorem ipsum dolorem')
+          Backend::Connection.put(CGI.escape(full_path), 'Lorem ipsum dolorem')
         end
       end