Bug 22478: Prevent XSS vulnerabilities when pagination appears
This is a bad one as we thought we were XSS safe since bug 13618. The html code generated in C4::Output::pagination_bar must escape the variables and values correctly. This patch needs to be widely tested, everywhere the pagination appears, to make sure we will not introduce regressions. Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This commit is contained in:
parent
0fb9b9fdb0
commit
f021ca30a5
1 changed files with 5 additions and 1 deletions
|
@ -29,6 +29,7 @@ use strict;
|
||||||
#use warnings; FIXME - Bug 2505
|
#use warnings; FIXME - Bug 2505
|
||||||
|
|
||||||
use URI::Escape;
|
use URI::Escape;
|
||||||
|
use Scalar::Util qw( looks_like_number );
|
||||||
|
|
||||||
use C4::Context;
|
use C4::Context;
|
||||||
use C4::Templates;
|
use C4::Templates;
|
||||||
|
@ -89,6 +90,9 @@ sub pagination_bar {
|
||||||
my $startfrom_name = (@_) ? shift : 'page';
|
my $startfrom_name = (@_) ? shift : 'page';
|
||||||
my $additional_parameters = shift || {};
|
my $additional_parameters = shift || {};
|
||||||
|
|
||||||
|
$current_page = looks_like_number($current_page) ? $current_page : undef;
|
||||||
|
$nb_pages = looks_like_number($nb_pages) ? $nb_pages : undef;
|
||||||
|
|
||||||
# how many pages to show before and after the current page?
|
# how many pages to show before and after the current page?
|
||||||
my $pages_around = 2;
|
my $pages_around = 2;
|
||||||
|
|
||||||
|
@ -106,7 +110,7 @@ sub pagination_bar {
|
||||||
my $url = $base_url . (($base_url =~ m/$delim/ or $base_url =~ m/\?/) ? '&' : '?' ) . $startfrom_name . '=';
|
my $url = $base_url . (($base_url =~ m/$delim/ or $base_url =~ m/\?/) ? '&' : '?' ) . $startfrom_name . '=';
|
||||||
my $url_suffix;
|
my $url_suffix;
|
||||||
while ( my ( $k, $v ) = each %$additional_parameters ) {
|
while ( my ( $k, $v ) = each %$additional_parameters ) {
|
||||||
$url_suffix .= '&' . $k . '=' . $v;
|
$url_suffix .= '&' . URI::Escape::uri_escape_utf8($k) . '=' . URI::Escape::uri_escape_utf8($v);
|
||||||
}
|
}
|
||||||
my $pagination_bar = '';
|
my $pagination_bar = '';
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue