that is not a legal URL
You are mistaken. Not only is the url legal, it is parsed identically whether those characters are escaped or not. Only "#" must be escaped in the query component of HTTP urls since no other character "would conflict with a reserved character's purpose as a delimiter" in that part of the url. Other limitations are self-imposed.
Where it makes a difference is how the query is parsed. In this case, "?" and ";" must be escaped in addition to "#" because CGI (the module) expects the query to be a url-encoded form (application/x-www-form-urlencoded) with the extension that ";" is equivalent to "?". (It also supports ISINDEX-style queries.)
If he did his own query parsing, all that comes after the "&url=" could be considered part of the backlink url. But since he's using CGI's parser, all that comes after the "&url=" but only until the next "&" and ";" is considered part of the backlink url.