Fixes F9686: html decode and sanitize an export filename to become the 'save as'-filename

extension/Classes/Core/Report/Link.php

@@ -28,6 +28,7 @@ use IMATHUZH\Qfq\Core\Helper\KeyValueStringParser;
 use IMATHUZH\Qfq\Core\Helper\OnArray;
 use IMATHUZH\Qfq\Core\Helper\Support;
 use IMATHUZH\Qfq\Core\Helper\Token;
+use IMATHUZH\Qfq\Core\Helper\Sanitize;
 use IMATHUZH\Qfq\Core\Store\Sip;
 use IMATHUZH\Qfq\Core\Store\Store;
 
@@ -1525,6 +1526,12 @@ EOF;
      */
     private function buildDownload($vars, $value) {
 
+        // By default, qfq saves everything HTML encoded. E.g. in form ''' - decode them back to regual UTF-8 text.
+        $filename = html_entity_decode($vars[DOWNLOAD_EXPORT_FILENAME], ENT_QUOTES | ENT_XML1, 'UTF-8');
+
+        // Remove unsafe characters.
+        $vars[DOWNLOAD_EXPORT_FILENAME] = Sanitize::safeFilename($filename);
+
         return $vars;
     }