Bug 20945: Escape SQL parameters when constructing download links

TO test:
1 - Create a report that takes a parameter
2 - Enter a parameter containing '%'
3 - Attempt to download report, note link is misconstructed
4 - Apply patch
5 - Reload
6 - Note URL is now correct

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0557c0fd9c468fb32011897318fb239dcdc30bc8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc
index 5f70852..f7ae188 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-toolbar.inc
@@ -48,7 +48,7 @@
 
         [% IF ( execute ) %]
             [% BLOCK params %]
-                [%- FOREACH param IN sql_params %]&sql_params=[% param %][% END %]
+                [%- FOREACH param IN sql_params %]&sql_params=[% param | uri %][% END %]
             [%- END %]