Bug 4461: Correctly deal with encoding/escaping chars

This patch deals (hopefully) correctly with encoding and escaping chars.
It also remove OPACBaseURL from the url stored in DB, and readd is on
display, to avoid possible attacks.

Test plan:
Go to the authority search
fill term with something hacky
<script>alert('booh!')</script>And Ŝ♥m€ E★tr₳
Search
Click the "Report a problem" link
Fill the form and make sure the url is displayed correctly
submit
Check problem_reports.problempage in DB => Should be correctly displayed
Go to staff interface, "OPAC problem reports"
=> Confirm the link is correctly display
Click it
=> Confirm that you are at the OPAC, and the URL is correct

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/problem-reports.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/problem-reports.tt
index 6c7080f..b2e0ea5 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/problem-reports.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/problem-reports.tt
@@ -79,8 +79,8 @@
                                         <b>[% report.title | html %]</b><br>
                                         [% report.content | html %]
                                     </td>
-                                    <td><a href="[% report.problempage | url %]">[% report.problempage | html %]</a></td>
-                                    <td>[% report.recipient %]</td>
+                                    <td><a href="[% OPACBaseURL | url %][% report.problempage | url %]">[% OPACBaseURL | url %][% report.problempage | html %]</a></td>
+                                    <td>[% report.recipient | html %]</td>
                                     <td><span title="[% report.created_on | html %]">[% report.created_on | $KohaDates with_hours => 1 %]</span></td>
                                     <td>[% INCLUDE 'patron-title.inc' patron => report.patron hide_patron_infos_if_needed=1 %]</td>
                                     <td class="status[% report.status | html %]" name="status"><span id="status_[% report.reportid | html %]">[% report.status | html %]</span></td>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt
index b866967..efae101 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt
@@ -37,7 +37,7 @@
                                 [% ELSE %]
                                     Your problem report has been sent to the library.
                                 [% END %]
-                            [% CASE 'error_on_send' %][#% We really should avoid reaching this! %]
+                            [% CASE 'error_on_send' #We really should avoid reaching this! %]
                                 Something wrong happened when sending the report. Please contact your library.
                             [% END %]
                         </div>
@@ -62,8 +62,8 @@
                                     </li>
                                     <li>
                                         <label for="problempage">Problem found on page: </label>
-                                        <input type="hidden" name="problempage" id="problempage" value="[% problempage | html %]">
-                                        [% problempage | html %]
+                                        <input type="hidden" name="problempage" id="problempage" value="[% problempage | url %]">
+                                         [% problempage | html %]<br/>
                                     </li>
                                     <li>
                                         <label for="user">Username: </label>

diff --git a/opac/opac-reportproblem.pl b/opac/opac-reportproblem.pl
index 7e62f75..2abce15 100755 (executable)
--- a/opac/opac-reportproblem.pl
+++ b/opac/opac-reportproblem.pl
@@ -28,6 +28,8 @@ use Koha::ProblemReport;
 use Koha::Libraries;
 use Koha::Patrons;
 use Koha::Util::Navigation;
+use URI::Escape;
+use Encode;
 
 my $input = new CGI;
 
@@ -46,7 +48,8 @@ if (   !C4::Context->preference('OPACReportProblem')
     print $input->redirect("/cgi-bin/koha/errors/404.pl");
 }
 
-my $problempage = C4::Context->preference('OPACBaseURL') . Koha::Util::Navigation::local_referer($input );
+my $referer = Koha::Util::Navigation::local_referer($input );
+$referer = Encode::decode_utf8 uri_unescape $referer,
 
 my $patron = Koha::Patrons->find($borrowernumber);
 my $username = $patron->userid;
@@ -56,7 +59,7 @@ my @messages;
 
 $template->param(
     username    => $username,
-    problempage => $problempage,
+    problempage => $referer,
     library     => $library,
 );
 
@@ -66,6 +69,7 @@ if ( $op eq 'addreport' ) {
     my $subject = $input->param('subject');
     my $message = $input->param('message');
     my $problempage = $input->param('problempage');
+    $problempage = Encode::decode_utf8 uri_unescape $problempage;
     my $recipient = $input->param('recipient') || 'admin';
 
     try {