diff --git a/scripts/http-vuln-cve2013-7091.nse b/scripts/http-vuln-cve2013-7091.nse
index 52419a229..874d02a65 100644
--- a/scripts/http-vuln-cve2013-7091.nse
+++ b/scripts/http-vuln-cve2013-7091.nse
@@ -56,7 +56,7 @@ categories = {"exploit","vuln","intrusive"}
 portrule = shortport.http
 
 -- function to escape specific characters
-local escape = function(str) return string.gsub(str, "", "") end
+local escape = function(str) return string.gsub(str, "%%", "%%%%") end
 
 action = function(host, port)
   local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/zimbra"