From 0557c0fd9c468fb32011897318fb239dcdc30bc8 Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Thu, 14 Jun 2018 14:20:44 +0000 Subject: [PATCH] Bug 20945: Escape SQL parameters when constructing download links TO test: 1 - Create a report that takes a parameter 2 - Enter a parameter containing '%' 3 - Attempt to download report, note link is misconstructed 4 - Apply patch 5 - Reload 6 - Note URL is now correct Signed-off-by: Katrin Fischer Signed-off-by: Martin Renvoize Signed-off-by: Nick Clemens Signed-off-by: Martin Renvoize --- koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc index 99ce946084..b773c9bfcc 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc @@ -49,7 +49,7 @@ [% IF ( execute ) %] [% BLOCK params %] - [%- FOREACH param IN sql_params %]&sql_params=[% param %][% END %] + [%- FOREACH param IN sql_params %]&sql_params=[% param | uri %][% END %] [%- FOREACH param_name IN param_names %]&param_name=[% param_name %][% END %] [%- END %] -- 2.39.5