Safely encode koji build links

Signed-off-by: Mattia Verga <[email protected]>

bodhi-server/bodhi/server/templates/update.html

@@ -1,7 +1,7 @@
 <%inherit file="master.html"/>
 <%namespace name="json" module="json"/>
 <%
-  from urllib.parse import urljoin
+  from urllib.parse import quote, urljoin
 
   from bodhi.server import models
 
@@ -603,7 +603,7 @@ <h4>How to install</h4>
             <div class="flex-grow-1">
               <%
                 koji_web_url = request.registry.settings.get('koji_web_url').strip('/') + '/'
-                build_url = urljoin(koji_web_url, 'search?terms='+build.nvr+'&type=build&match=exact')
+                build_url = urljoin(koji_web_url, 'search?terms='+quote(build.nvr)+'&type=build&match=exact')
               %>
               <a href="${build_url}" target="_blank">${build.nvr}</a>
             </div>

bodhi-server/tests/services/test_updates.py

@@ -6084,6 +6084,17 @@ def test_frozen_release_html(self, update_status, release_state):
             assert ('This update will not be pushed to stable until freeze is lifted '
                     f'from {release.long_name}.') not in resp
 
+    def test_koji_build_url_encoding(self):
+        """Test HTML URL to koji build is correctly encoded."""
+        update = self.create_update(['hylafax+-7.0.3-1.fc17'])
+        self.db.commit()
+
+        resp = self.app.get(f'/updates/{update.alias}', headers={'Accept': 'text/html'})
+
+        assert 'text/html' in resp.headers['Content-Type']
+        assert ('search?terms=hylafax%2B-7.0.3-1.fc17&type=build&match=exact" '
+                'target="_blank">hylafax+-7.0.3-1.fc17</a>') in resp
+
 
 class TestWaiveTestResults(BasePyTestCase):
     """

news/5272.bug

@@ -0,0 +1 @@
+Link to Koji builds are now correctly encoded