Koha/opac
Dobrica Pavlinusic 1ca9adaa56 Bug 13789 - facets with accented utf-8 characters generate double encoded links
Bug 13425 tried to fix XSS in OPAC, by using url filter in template toolkit
on whole generated url. This doesn't work and create double encoded strings
in facets because we are creating url variable by concatenating query_cgi
(which did pass through uri_escape_utf8 on perl side) and other
parameters which have to be escaped in template.

Also, code like

[% SET limit_cgi_f = limit_cgi | url %]

doesn't do anything (at least doesn't apply url filter) so it's not needed.

This patch also fixes encoding of hidden fields used in sort by form.

And lastly, it tries to make facet changes for opac and intranet as same as
possible to simplify future maintencence of this code.

Test scenario:
1. find results in your opac which contain accented characters
2. click on them and verify that results are missing
3. apply this patch
4. re-run search and click on facets link verifying that there are
   now results
5. test sort by form and verify that results are ok
6. verify that facets are still safe from injection by constructing url like
   /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
   and verifying that you DON'T see prompt window in your browser

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-03-07 21:05:04 +01:00
..
errors Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
rss adding file just for creating the rss directory 2007-08-02 08:50:43 +00:00
sco Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
svc Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
ilsdi.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
maintenance.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
oai.pl Bug 13568 OAI Server doesn't handle properly resumption token 2015-02-19 09:49:46 -03:00
opac-account.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-addbybiblionumber.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-alert-subscribe.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-authorities-home.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-authoritiesdetail.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-basket.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-blocked.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-browser.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-changelanguage.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-course-details.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-course-reserves.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-detail.pl Bug 11944: Fix problems introduced by bug 11515 2015-01-13 13:07:55 -03:00
opac-downloadcart.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-downloadshelf.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-export.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-ics.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-image.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-imageviewer.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-ISBDdetail.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-main.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-MARCdetail.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-memberentry.pl Bug 13526 - Mandatory fields should not be able to be hidden in borrower self-registration 2015-01-18 10:45:10 -03:00
opac-messaging.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-modrequest-suspend.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-modrequest.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-mymessages.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-overdrive-search.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-passwd.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-patron-image.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-privacy.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-ratings-ajax.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-ratings.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-readingrecord.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-registration-verify.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-renew.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-reserve.pl Bug 13335 - Holds and priority display via OPACShowHoldQueueDetails confusing 2015-02-12 15:20:59 -03:00
opac-review.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-search-history.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-search.pl Bug 13789 - facets with accented utf-8 characters generate double encoded links 2015-03-07 21:05:04 +01:00
opac-sendbasket.pl Bug 13343: Embed items when send a basket/shelf 2015-02-12 15:33:11 -03:00
opac-sendshelf.pl Bug 13343: Embed items when send a basket/shelf 2015-02-12 15:33:11 -03:00
opac-serial-issues.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-shareshelf.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-shelves.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-showmarc.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-showreviews.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-suggestions.pl Bug 12702 - Suggestions still accessible in OPAC when deactivated 2015-01-18 10:40:56 -03:00
opac-tags.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-tags_subject.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-topissues.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac-user.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
tracklinks.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
unapi Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00