Bug 20945: Escape SQL parameters when constructing download links

TO test:
1 - Create a report that takes a parameter
2 - Enter a parameter containing '%'
3 - Attempt to download report, note link is misconstructed
4 - Apply patch
5 - Reload
6 - Note URL is now correct

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc
index 99ce946..b773c9b 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc
@@ -49,7 +49,7 @@
 
         [% IF ( execute ) %]
             [% BLOCK params %]
-                [%- FOREACH param IN sql_params %]&sql_params=[% param %][% END %]
+                [%- FOREACH param IN sql_params %]&sql_params=[% param | uri %][% END %]
                     [%- FOREACH param_name IN param_names %]&param_name=[% param_name %][% END %]
             [%- END %]