Bug 14360: Unescaped variable causes alert

Adding |html to [% resultsperpage %] to escape the variable and get rid of the alert.

To test:

1) Go to URL such as ...  /cgi-bin/koha/opac-authorities-home.pl?op=do_search&resultsperpage=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
2) Notice pop-up box with alert
3) Apply patch, refresh page
4) Notice alert is gone

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
(cherry picked from commit 9e920f7479df6d36db3e3450d6e6c2524fa9fe56)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit ff0281d40ad9bcff563a595082b051dd4304ffc2)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

Conflicts:
	koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-authoritiessearchresultlist.tt

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-authoritiessearchresultlist.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-authoritiessearchresultlist.tt
index 262d7f0..43b4af4 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-authoritiessearchresultlist.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-authoritiessearchresultlist.tt
@@ -6,7 +6,7 @@
         <ul>
             [% IF ( displayprev ) %]
                 <li>
-                    <a href="opac-authorities-home.pl?startfrom=[% startfromprev %]&amp;[% FOREACH searchdat IN searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby %]">
+                    <a href="opac-authorities-home.pl?startfrom=[% startfromprev %]&amp;[% FOREACH searchdat IN searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]resultsperpage=[% resultsperpage |html %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby|html %]">
                         &laquo;
                     </a>
                 </li>
@@ -15,12 +15,12 @@
                 [% IF ( number.highlight ) %]
                     <li class="active"><a href="#">[% number.number %]</a></li>
                 [% ELSE %]
-                    <li><a href="opac-authorities-home.pl?startfrom=[% number.startfrom %]&amp;[% FOREACH searchdat IN number.searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby %]">[% number.number %]</a></li>
+                    <li><a href="opac-authorities-home.pl?startfrom=[% number.startfrom %]&amp;[% FOREACH searchdat IN number.searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]resultsperpage=[% resultsperpage |html %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby|html %]">[% number.number %]</a></li>
                 [% END %]
             [% END %]
             [% IF ( displaynext ) %]
                 <li>
-                    <a href="opac-authorities-home.pl?startfrom=[% startfromnext %]&amp;[% FOREACH searchdat IN searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]&amp;resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby %]">&raquo;</a>
+                    <a href="opac-authorities-home.pl?startfrom=[% startfromnext %]&amp;[% FOREACH searchdat IN searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]&amp;resultsperpage=[% resultsperpage |html %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby|html %]">&raquo;</a>
                 </li>
             [% END %]
         </ul>