This page demonstrates the mailto: bug.
The bug is that escaped ampersand characters (&) are not properly handled in mailto: fields. If the & character is escaped, it should be considered part of the mailto: header data, instead of a field separator.
This URL should result in an email with a body of "hello".
mailto:?body=hello&worldThis URL should result in an email with a body of "hello&world", but it does not with CNF3.
mailto:?body=hello%26worldThus, first the fields on the mailto: URL should be determined, and then the data should be decoded.
Testing the same links on a normal web browser (FireFox) gives the expected results.