This patch deals (hopefully) correctly with encoding and escaping chars.
It also remove OPACBaseURL from the url stored in DB, and readd is on
display, to avoid possible attacks.
Test plan:
Go to the authority search
fill term with something hacky
<script>alert('booh!')</script>And Ŝ♥m€ E★tr₳
Search
Click the "Report a problem" link
Fill the form and make sure the url is displayed correctly
submit
Check problem_reports.problempage in DB => Should be correctly displayed
Go to staff interface, "OPAC problem reports"
=> Confirm the link is correctly display
Click it
=> Confirm that you are at the OPAC, and the URL is correct
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
<b>[% report.title | html %]</b><br>
[% report.content | html %]
</td>
- <td><a href="[% report.problempage | url %]">[% report.problempage | html %]</a></td>
- <td>[% report.recipient %]</td>
+ <td><a href="[% OPACBaseURL | url %][% report.problempage | url %]">[% OPACBaseURL | url %][% report.problempage | html %]</a></td>
+ <td>[% report.recipient | html %]</td>
<td><span title="[% report.created_on | html %]">[% report.created_on | $KohaDates with_hours => 1 %]</span></td>
<td>[% INCLUDE 'patron-title.inc' patron => report.patron hide_patron_infos_if_needed=1 %]</td>
<td class="status[% report.status | html %]" name="status"><span id="status_[% report.reportid | html %]">[% report.status | html %]</span></td>
[% ELSE %]
Your problem report has been sent to the library.
[% END %]
- [% CASE 'error_on_send' %][#% We really should avoid reaching this! %]
+ [% CASE 'error_on_send' #We really should avoid reaching this! %]
Something wrong happened when sending the report. Please contact your library.
[% END %]
</div>
</li>
<li>
<label for="problempage">Problem found on page: </label>
- <input type="hidden" name="problempage" id="problempage" value="[% problempage | html %]">
- [% problempage | html %]
+ <input type="hidden" name="problempage" id="problempage" value="[% problempage | url %]">
+ [% problempage | html %]<br/>
</li>
<li>
<label for="user">Username: </label>
use Koha::Libraries;
use Koha::Patrons;
use Koha::Util::Navigation;
+use URI::Escape;
+use Encode;
my $input = new CGI;
print $input->redirect("/cgi-bin/koha/errors/404.pl");
}
-my $problempage = C4::Context->preference('OPACBaseURL') . Koha::Util::Navigation::local_referer($input );
+my $referer = Koha::Util::Navigation::local_referer($input );
+$referer = Encode::decode_utf8 uri_unescape $referer,
my $patron = Koha::Patrons->find($borrowernumber);
my $username = $patron->userid;
$template->param(
username => $username,
- problempage => $problempage,
+ problempage => $referer,
library => $library,
);
my $subject = $input->param('subject');
my $message = $input->param('message');
my $problempage = $input->param('problempage');
+ $problempage = Encode::decode_utf8 uri_unescape $problempage;
my $recipient = $input->param('recipient') || 'admin';
try {