To Test
1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
It is important it must return results and facets
2/ Notice the js is executed
3/ Apply the patch test again
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Popup is gone after applying the patch. Facet link still shows it but does not execute. It's gone after clicking the link.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
[% IF facet.active %]
[% SET url = url _ "&nolimit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %]
<span class="facet-label">[% facet.facet_label_value %]</span>
- [<a href="[% url %]" title="Remove facet [% facet.facet_link_value | html %]">x</a>]
+ [<a href="[% url |url%]" title="Remove facet [% facet.facet_link_value | html %]">x</a>]
[% ELSE %]
[% SET url = url _ "&limit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %]
- <span class="facet-label"><a href="[% url %]" title="[% facet.facet_title_value |html %]">[% facet.facet_label_value %]</a></span>
+ <span class="facet-label"><a href="[% url |url%]" title="[% facet.facet_title_value |html %]">[% facet.facet_label_value %]</a></span>
[% IF ( displayFacetCount ) %]
<span class="facet-count"> ([% facet.facet_count %])</span>
[% END %]
projects / koha-equinox.git / commitdiff