Commit 19c4b2f2 authored by Carsten  Rose's avatar Carsten Rose

Merge branch 'F9686DownloadSanatizeOutputFilename' into 'master'

Fixes F9686: html decode and sanitize an export filename to become the 'save as'-filename

See merge request !216
parents b3b2d9b3 042f9da9
Pipeline #2840 passed with stages
in 2 minutes and 35 seconds
......@@ -28,6 +28,7 @@ use IMATHUZH\Qfq\Core\Helper\KeyValueStringParser;
use IMATHUZH\Qfq\Core\Helper\OnArray;
use IMATHUZH\Qfq\Core\Helper\Support;
use IMATHUZH\Qfq\Core\Helper\Token;
use IMATHUZH\Qfq\Core\Helper\Sanitize;
use IMATHUZH\Qfq\Core\Store\Sip;
use IMATHUZH\Qfq\Core\Store\Store;
......@@ -1525,6 +1526,12 @@ EOF;
*/
private function buildDownload($vars, $value) {
// By default, qfq saves everything HTML encoded. E.g. in form ''' - decode them back to regual UTF-8 text.
$filename = html_entity_decode($vars[DOWNLOAD_EXPORT_FILENAME], ENT_QUOTES | ENT_XML1, 'UTF-8');
// Remove unsafe characters.
$vars[DOWNLOAD_EXPORT_FILENAME] = Sanitize::safeFilename($filename);
return $vars;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment