Hi,
According to Apache bugtracker, the B flag was fixed in version 2.2.9 https://issues.apache.org/bugzilla/show_bug.cgi?id=45529
How safe is it to use this B flag? If I include it in the next release of our software, can I rest assured that the majority of hostings will work fine with this?
When the RewriteRule is evaluated, the URL is unescaped, i.e., the escape sequences %XX where X is a hexadecimal character, are converted to the actual character.
B makes sure than, in the rewritten URL, the backreferences are escaped, both when they were originally escaped and when they weren't. This is specially important in query strings, which allow less characters in their data than the path portion of the URL (apart from ?).
In this bug, B was failing to escape some characters, i.e., it was behaving as if the B flag hadn't been specified. So, while the fact the B flag was buggy is a problem, it was not worse than not using it.
You can work around it passing data your scripts through PATH_INFO instead of query strings, but this requires alterations to the scripts.