1ca9adaa56
Bug 13425 tried to fix XSS in OPAC, by using url filter in template toolkit
on whole generated url. This doesn't work and create double encoded strings
in facets because we are creating url variable by concatenating query_cgi
(which did pass through uri_escape_utf8 on perl side) and other
parameters which have to be escaped in template.
Also, code like
[% SET limit_cgi_f = limit_cgi | url %]
doesn't do anything (at least doesn't apply url filter) so it's not needed.
This patch also fixes encoding of hidden fields used in sort by form.
And lastly, it tries to make facet changes for opac and intranet as same as
possible to simplify future maintencence of this code.
Test scenario:
1. find results in your opac which contain accented characters
2. click on them and verify that results are missing
3. apply this patch
4. re-run search and click on facets link verifying that there are
now results
5. test sort by form and verify that results are ok
6. verify that facets are still safe from injection by constructing url like
/cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
and verifying that you DON'T see prompt window in your browser
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
55 lines
3.1 KiB
HTML
55 lines
3.1 KiB
HTML
[% IF ( opacfacets ) %]
|
|
[% IF ( facets_loop ) %]
|
|
<div id="search-facets">
|
|
<h4>Refine your search</h4>
|
|
<ul>
|
|
<li id="availability_facet">Availability<ul><li>[% IF ( available ) %]Showing only <strong>available</strong> items. <a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi_not_availablity %][% IF ( sort_by ) %]&sort_by=[% sort_by |url %][% END %]">Show all items</a>[% ELSE %]Limit to <a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %][% IF ( sort_by ) %]&sort_by=[% sort_by |url %][% END %]&limit=available">currently available items.</a>[% END %]</li></ul>
|
|
[% IF ( related ) %] <li>(related searches: [% FOREACH relate IN related %][% relate.related_search %][% END %])</li>[% END %]
|
|
</li>
|
|
|
|
[% FOREACH facets_loo IN facets_loop %]
|
|
[% IF facets_loo.facets.size > 0 %]
|
|
<li id="[% facets_loo.type_id %]">
|
|
[% facets_loo.type_label %]
|
|
[% IF facets_loo.type_label_Authors %]<span id="facet-authors">Authors</span>[% END %]
|
|
[% IF facets_loo.type_label_Titles %]<span id="facet-titles">Titles</span>[% END %]
|
|
[% IF facets_loo.type_label_Topics %]<span id="facet-topics">Topics</span>[% END %]
|
|
[% IF facets_loo.type_label_Places %]<span id="facet-places">Places</span>[% END %]
|
|
[% IF facets_loo.type_label_Series %]<span id="facet-series">Series</span>[% END %]
|
|
[% IF facets_loo.type_label_ItemTypes %]<span id="facet-itemtypes">Item types</span>[% END %]
|
|
[% IF ( facets_loo.type_label_HomeLibrary ) %]<span id="facet-home-libraries">Home libraries</span>[% END %]
|
|
[% IF ( facets_loo.type_label_HoldingLibrary ) %]<span id="facet-holding-libraries">Holding libraries</span>[% END %]
|
|
[% IF facets_loo.type_label_Location %]<span id="facet-locations">Locations</span>[% END %]
|
|
<ul>
|
|
[% FOREACH facet IN facets_loo.facets %]
|
|
<li>
|
|
[% SET url = "/cgi-bin/koha/catalogue/search.pl?" _ query_cgi _ limit_cgi %]
|
|
[% IF ( sort_by ) %]
|
|
[% url = BLOCK %][% url %][% "&sort_by=" _ sort_by |url %][% END %]
|
|
[% END %]
|
|
[% IF facet.active %]
|
|
[% SET url = url _ "&nolimit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %]
|
|
<span class="facet-label">[% facet.facet_label_value %]</span>
|
|
[<a href="[% url %]" title="Remove facet [% facet.facet_link_value | html %]">x</a>]
|
|
[% ELSE %]
|
|
[% SET url = url _ "&limit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %]
|
|
<span class="facet-label"><a href="[% url %]" title="[% facet.facet_title_value |html %]">[% facet.facet_label_value %]</a></span>
|
|
[% IF ( displayFacetCount ) %]
|
|
<span class="facet-count"> ([% facet.facet_count %])</span>
|
|
[% END %]
|
|
[% END %]
|
|
</li>
|
|
[% END %]
|
|
[% IF ( facets_loo.expandable ) %]
|
|
<li class="showmore">
|
|
<a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi %][% limit_cgi |url %][% IF ( sort_by ) %]&sort_by=[% sort_by |url %][% END %][% IF ( offset ) %]
|
|
&offset=[% offset |url %][% END %]&expand=[% facets_loo.expand |url %]#[% facets_loo.type_id |url %]">Show more</a>
|
|
</li>
|
|
[% END %]
|
|
</ul></li>
|
|
[% END %]
|
|
[% END %]
|
|
</ul>
|
|
</div>
|
|
[% END %]
|
|
[% END %]
|