Bug 21460: (follow-up) Filter params in .pl

This patch filters the passed parameters in the .pl, rather than doing
it in the template. As per comment 16
(https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21460#c16)

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/ill/ill-requests.pl b/ill/ill-requests.pl
index 45f99c2..57b0692 100755 (executable)
--- a/ill/ill-requests.pl
+++ b/ill/ill-requests.pl
@@ -30,6 +30,7 @@ use Koha::Libraries;
 use Koha::Token;
 
 use Try::Tiny;
+use URI::Escape;
 
 our $cgi = CGI->new;
 my $illRequests = Koha::Illrequests->new;
@@ -270,18 +271,24 @@ if ( $backends_available ) {
 
         # If we receive a pre-filter, make it available to the template
         my $possible_filters = ['borrowernumber'];
-        my $active_filters = [];
+        my $active_filters = {};
         foreach my $filter(@{$possible_filters}) {
             if ($params->{$filter}) {
-                push @{$active_filters}, "$filter=$params->{$filter}";
+                # We shouldn't need to escape $filter here since we're using
+                # a whitelist, but just to be sure...
+                $active_filters->{uri_escape_utf8($filter)} =
+                    uri_escape_utf8(scalar $params->{$filter});
             }
         }
-        if (scalar @{$active_filters} > 0) {
-            $template->param(
-                prefilters => join(",", @{$active_filters})
-            );
+        if (keys %{$active_filters}) {
+            my @tpl_arr;
+            foreach my $key (keys %{$active_filters}) {
+                push @tpl_arr, $key . "=" . $active_filters->{$key};
+            }
         }
-
+        $template->param(
+            prefilters => join("&", @tpl_arr)
+        );
     } elsif ( $op eq "save_comment" ) {
         die "Wrong CSRF token" unless Koha::Token->new->check_csrf({
            session_id => scalar $cgi->cookie('CGISESSID'),

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt
index ce73bac..8feeccb 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt
@@ -527,7 +527,7 @@
     [% INCLUDE 'calendar.inc' %]
     [% Asset.js("lib/jquery/plugins/jquery.checkboxes.min.js") | $raw %]
     <script>
-        var prefilters = '[% prefilters | html %]';
+        var prefilters = '[% prefilters %]';
         // Set column settings
         var columns_settings = [% ColumnsSettings.GetColumns( 'illrequests', 'ill-requests', 'ill-requests', 'json' ) %];
     </script>