Bug 13618: Use Template::Stash::AutoEscaping to use the html filter

Test plan: 0/ sudo cpanm Template::Stash::AutoEscaping 1/ Verify don't reproduce the XSS issue described on bug 13609 and other xss related bugs. 2/ Try to find some encoding issues (detail page, search results, facets, etc.) Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala@gmail.com> Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
9 years ago · 01b38d3b13
3 changed files with 10 additions and 3 deletions
--- a/C4/Installer/PerlDependencies.pm
+++ b/C4/Installer/PerlDependencies.pm
@ -822,6 +822,11 @@ our $PERL_DEPS = {
        'required' => '0',
        'min_ver'  => '0.03',
    },
+    'Template::Stash::AutoEscaping' => {
+        'usage'    => 'Code',
+        'required' => '1',
+        'min_ver'  => '0.0303',
+    },
 };

 1;
--- a/C4/Templates.pm
+++ b/C4/Templates.pm
@ -5,6 +5,7 @@ use warnings;
 use Carp;
 use CGI qw ( -utf8 );
 use List::MoreUtils qw/ any uniq /;
+use Template::Stash::AutoEscaping;

 # Copyright 2009 Chris Cormack and The Koha Dev Team
 #
@ -69,6 +70,7 @@ sub new {
            COMPILE_DIR => $use_template_cache ? C4::Context->config('template_cache_dir') : '',
            INCLUDE_PATH => \@includes,
            FILTERS => {},
+            STASH => Template::Stash::AutoEscaping->new,
            ENCODING => 'UTF-8',
        }
    ) or die Template->error();
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-authoritiessearchresultlist.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-authoritiessearchresultlist.tt
@ -1,7 +1,7 @@
 [% USE Koha %]
 [% PROCESS 'opac-authorities.inc' %]
 [% PROCESS 'authorities-search-results.inc' %]
-[% pagination = BLOCK %]
+[% BLOCK pagination %]
    <div class="pagination">
        <ul>
            [% IF ( displayprev ) %]
@ -56,7 +56,7 @@
                    <div id="userauthsearchresults" class="maincontent">
                        <h1>Authority search results</h1>

-                        [% pagination %]
+                        [% PROCESS pagination %]

                        <div id="results">
                            [% IF ( total ) %]
@ -102,7 +102,7 @@
                                </table>
                            </div> <!-- / .searchresults -->

-                            [% pagination %]
+                            [% PROCESS pagination %]

                        [% END # / IF total %]
                    </div> <!-- / #userauthsearchresults -->