This is a bad one as we thought we were XSS safe since bug 13618.
The html code generated in C4::Output::pagination_bar must escape the
variables and values correctly.
This patch needs to be widely tested, everywhere the pagination appears,
to make sure we will not introduce regressions.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
d4d1107afa873614ace241557e424de0dcbad20a)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
#use warnings; FIXME - Bug 2505
use URI::Escape;
+use Scalar::Util qw( looks_like_number );
use C4::Context;
use C4::Templates;
my $startfrom_name = (@_) ? shift : 'page';
my $additional_parameters = shift || {};
+ $current_page = looks_like_number($current_page) ? $current_page : undef;
+ $nb_pages = looks_like_number($nb_pages) ? $nb_pages : undef;
+
# how many pages to show before and after the current page?
my $pages_around = 2;
my $url = $base_url . (($base_url =~ m/$delim/ or $base_url =~ m/\?/) ? '&' : '?' ) . $startfrom_name . '=';
my $url_suffix;
while ( my ( $k, $v ) = each %$additional_parameters ) {
- $url_suffix .= '&' . $k . '=' . $v;
+ $url_suffix .= '&' . URI::Escape::uri_escape_utf8($k) . '=' . URI::Escape::uri_escape_utf8($v);
}
my $pagination_bar = '';