fix(api): encode subsplease timezone to prevent query-param injection

The `tz` query value was interpolated raw into the upstream URL, letting
callers append arbitrary query segments (e.g. `tz=foo&f=hax`). Wrap the
value in encodeURIComponent and rename the local variable away from the
banned `tz` abbreviation.

0 files changed, 0 insertions, 0 deletions