http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13789
Dobrica Pavlinusic <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #36445|0 |1 is obsolete| | --- Comment #2 from Dobrica Pavlinusic <[email protected]> --- Created attachment 36477 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=36477&action=edit Bug 13789 - facets with accented utf-8 characters generate double encoded links Bug 13425 tried to fix XSS in OPAC, by using url filter in template toolkit on whole generated url. This doesn't work and create double encoded strings in facets because we are creating url variable by concatenating query_cgi (which did pass through uri_escape_utf8 on perl side) and other parameters which have to be escaped in template. Also, code like [% SET limit_cgi_f = limit_cgi | url %] doesn't do anything (at least doesn't apply url filter) so it's not needed. Test scenario: 1. find results in your opac which contain accented characters 2. click on them and verify that results are missing 3. apply this patch 4. re-run search and click on facets link verifying that there are now results 5. verify that facets are still safe from injection by constructing url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123 and verifying that you DON'T see prompt window in your browser -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
