Bug 27961: Ensure external URLs are filtered

TT variables are used to build the link in items.uri . This is a problem particularly when TrackClicks is enabled because the items.uri value doesn't get escaped, resulting in a 404. To test: 1) Enable the TrackClicks system preference (set to Track or Track anonymously) 2) Find a record with an item 3) Edit the item and put an external URL under the Uniform Resource Identifier field 4) Go to that record in the OPAC 5) Click on Link to resource 6) Confirm you are not redirected to the URL and instead see a 404 7) Apply the patch and refresh the page 8) Click on Link to resource 9) Confirm you are redirected as expected 10) Go back to the staff client to edit your item. This time put two URLs in the Uniform Resource Identifier field, separated by ' | '. (Don't forget the spaces around the pipe, and don't forget to add a trailing slash to the URL). 11) Go back to the OPAC and refresh the page. 12) Confirm both URLs redirect as expected. Sponsored-by: Parliamentary Library New Zealand Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-03-16 10:41:53 +13:00 · 2021-03-16 10:41:53 +13:00 · 4a5c946d95
commit 4a5c946d95
parent 21ed3887fb
1 changed files with 14 additions and 6 deletions
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
@ -1378,19 +1378,27 @@
                [% IF ( itemdata_uri ) %]
                    <td class="url">
                    [% IF ITEM_RESULT.uri %]
-                        [%# Initialize three helper vars %]
-                        [% SET target_attr = ''; SET rel_attr = ''; SET href_attr = '' %]
+                        [%# Initialize two helper vars %]
+                        [% SET target_attr = ''; SET rel_attr = '' %]
                        [% IF Koha.Preference('OPACURLOpenInNewWindow') %][% SET target_attr = '_blank'; SET rel_attr = 'noreferrer' %][% END %]

                        [%# Check if there are multiple URIs; in the single case we only use pref URLLinkText or Link to resource %]
                        [% IF ITEM_RESULT.uri.split(' \| ').size > 1 %]
                            [% FOREACH uri IN ITEM_RESULT.uri.split(' \| ') %]
-                                [% IF trackclicks == 'track' || trackclicks == 'anonymous' %][% SET href_attr = "/cgi-bin/koha/tracklinks.pl?uri=" _ uri _ "&amp;biblionumber=" _ biblio.biblionumber _ "&amp;itemnumber=" _ ITEM_RESULT.itemnumber %] [% ELSE %][% SET href_attr = uri %][% END %]
-                                <a target="[% target_attr | html %]" rel="[% rel_attr | html %]" href="[% href_attr | url %]" property="url">[% uri | html %]</a><br>
+                                [% IF trackclicks == 'track' || trackclicks == 'anonymous' %]
+                                    <a target="[% target_attr | html %]" rel="[% rel_attr | html %]" href="/cgi-bin/koha/tracklinks.pl?uri=[% uri | uri %]&amp;biblionumber=[% biblio.biblionumber | html %]&amp;itemnumber=[% ITEM_RESULT.itemnumber | html %]" property="url">[% uri | html %]</a>
+                                [% ELSE %]
+                                    <a target="[% target_attr | html %]" rel="[% rel_attr | html %]" href="[% uri | url %]" property="url">[% uri | html %]</a>
+                                [% END %]
                            [% END %]
                        [% ELSE %]
-                            [% IF trackclicks == 'track' || trackclicks == 'anonymous' %][% SET href_attr = "/cgi-bin/koha/tracklinks.pl?uri=" _ ITEM_RESULT.uri _ "&amp;biblionumber=" _ biblio.biblionumber _ "&amp;itemnumber=" _ ITEM_RESULT.itemnumber %] [% ELSE %][% SET href_attr = ITEM_RESULT.uri %][% END %]
-                            <a target="[% target_attr | html %]" rel="[% rel_attr | html %]" href="[% href_attr | url %]" property="url">[% IF Koha.Preference('URLLinkText') %][% Koha.Preference('URLLinkText') | html %][% ELSE %]Link to resource[% END %]</a>
+                            [% IF trackclicks == 'track' || trackclicks == 'anonymous' %]
+                                <a target="[% target_attr | html %]" rel="[% rel_attr | html %]" href="/cgi-bin/koha/tracklinks.pl?uri=[% ITEM_RESULT.uri | uri %]&amp;biblionumber=[% biblio.biblionumber | html %]&amp;itemnumber=[% ITEM_RESULT.itemnumber | html %]" property="url">
+                            [% ELSE %]
+                                <a target="[% target_attr | html %]" rel="[% rel_attr | html %]" href="[% ITEM_RESULT.uri | url %]" property="url">
+                            [% END %]
+                                [% IF Koha.Preference('URLLinkText') %][% Koha.Preference('URLLinkText') | html %][% ELSE %]Link to resource[% END %]
+                            </a>
                        [% END %]
                    [% END %]
                    </td>