From a1bee1b210a635e03de8967bf3cda6de15c320f2 Mon Sep 17 00:00:00 2001 From: Julian Maurice Date: Wed, 12 May 2021 10:24:30 +0200 Subject: [PATCH] Bug 26760: Escape URI parameters in redirect URI to paycollect.pl Also remove useless '%.2f' formatting of amount and amountoutstanding Signed-off-by: Katrin Fischer Signed-off-by: Jonathan Druart --- members/maninvoice.pl | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/members/maninvoice.pl b/members/maninvoice.pl index 1062f74f83..3cf02ca7c4 100755 --- a/members/maninvoice.pl +++ b/members/maninvoice.pl @@ -24,6 +24,7 @@ use Modern::Perl; use Try::Tiny; +use URI::Escape; use C4::Auth; use C4::Output; @@ -172,13 +173,15 @@ if ($add) { if ( $add eq 'save and pay' ) { my $url = sprintf( '/cgi-bin/koha/members/paycollect.pl?borrowernumber=%s&pay_individual=1&debit_type_code=%s&amount=%s&amountoutstanding=%s&description=%s&itemnumber=%s&accountlines_id=%s', - $borrowernumber, - $line->debit_type_code, - sprintf('%.2f', $line->amount), - sprintf('%.2f', $line->amountoutstanding), - $line->description, - $line->itemnumber, - $line->id + map { uri_escape_utf8($_) } ( + $borrowernumber, + $line->debit_type_code, + $line->amount, + $line->amountoutstanding, + $line->description, + $line->itemnumber, + $line->id + ) ); print $input->redirect($url); -- 2.39.5