Data masking: files with url encoded names not showing #840073

classes/files_mask.php

@@ -33,12 +33,12 @@ protected function replace_filename(\stdClass $rec, string $newfilename): void {
             $sql = "UPDATE {oublog_posts}
                        SET message = REPLACE(message, ?, ?)
                      WHERE id = ?";
-            $DB->execute($sql, [$rec->filename, $newfilename, $rec->itemid]);
+            $DB->execute($sql, [rawurlencode($rec->filename), rawurlencode($newfilename), $rec->itemid]);
             // Update edits.
             $sql = "UPDATE {oublog_edits}
                        SET oldmessage = REPLACE(oldmessage, ?, ?)
                      WHERE postid = ?";
-            $DB->execute($sql, [$rec->filename, $newfilename, $rec->itemid]);
+            $DB->execute($sql, [rawurlencode($rec->filename), rawurlencode($newfilename), $rec->itemid]);
         }
     }
 }