Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Main Koha release repository https://koha-community.org
22974 commits 35 branches 616 tags 1.8 GiB
Perl 45.6%
JavaScript 39.3%
HTML 7.2%
XSLT 3.7%
Vue 1.4%
Other 2.3%
Find a file
Dobrica Pavlinusic 1ca9adaa56 Bug 13789 - facets with accented utf-8 characters generate double encoded links 
Bug 13425 tried to fix XSS in OPAC, by using url filter in template toolkit
on whole generated url. This doesn't work and create double encoded strings
in facets because we are creating url variable by concatenating query_cgi
(which did pass through uri_escape_utf8 on perl side) and other
parameters which have to be escaped in template.

Also, code like

[% SET limit_cgi_f = limit_cgi | url %]

doesn't do anything (at least doesn't apply url filter) so it's not needed.

This patch also fixes encoding of hidden fields used in sort by form.

And lastly, it tries to make facet changes for opac and intranet as same as
possible to simplify future maintencence of this code.

Test scenario:
1. find results in your opac which contain accented characters
2. click on them and verify that results are missing
3. apply this patch
4. re-run search and click on facets link verifying that there are
   now results
5. test sort by form and verify that results are ok
6. verify that facets are still safe from injection by constructing url like
   /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
   and verifying that you DON'T see prompt window in your browser

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-03-07 21:05:04 +01:00
acqui Bug 12970: Fix the footer if several tax rate exist 2015-02-19 10:08:24 -03:00
admin Bug 13401 - sort branches alphabetically in admin/authorised_values.pl 2015-02-09 13:41:33 -03:00
authorities Bug 11961 - This patch fix the QA critical error, fix the capitalization and the UNIMARC support. 2015-01-24 18:19:10 -03:00
basket Bug 13343: Embed items when send a basket/shelf 2015-02-12 15:33:11 -03:00
C4 Bug 9848: SIP tests, fix in 10renew_all.t (additionnal checkin) 2015-03-05 11:47:31 +01:00
catalogue Bug 13789 - facets with accented utf-8 characters generate double encoded links 2015-03-07 21:05:04 +01:00
cataloguing Bug 13635: Unimarc - On editing a notice, the title should be displayed 2015-03-05 16:36:32 +01:00
circ Bug 12122: TransferSlip should accept both itemnumber and barcode 2015-03-05 11:47:12 +01:00
course_reserves Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
debian Bug 13759 - git-build-snapshot misses YUI and dies of sorrow during build 2015-03-02 15:25:47 +01:00
docs Bug 13575 - Names do not appear in the Koha history Timeline. 2015-03-05 11:48:13 +01:00
errors Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
etc Bug 12948: Use word indexing for language (MARC21) 2015-02-20 11:51:59 -03:00
install_misc GRS-1 deprecation leftover used by jenkins 2015-01-13 15:30:31 -03:00
installer Bug 11395: DBRev 3.19.00.013 2015-03-05 15:49:25 +01:00
Koha Bug 13523: DBIC updates 2015-02-24 14:20:31 -03:00
koha-tmpl Bug 13789 - facets with accented utf-8 characters generate double encoded links 2015-03-07 21:05:04 +01:00
labels Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
members Bug 13602: (QA followup) take advantage of the defined-or operator 2015-02-09 13:32:50 -03:00
misc Bug 13679 : Bug in listing overdues 2015-02-20 10:19:36 -03:00
offline_circ Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
opac Bug 13789 - facets with accented utf-8 characters generate double encoded links 2015-03-07 21:05:04 +01:00
OpenILS Bug 9239 QA follow-up: remove stray debug code 2013-03-16 21:32:34 -04:00
patron_lists Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
patroncards Bug 13189 - Patron card creator patron search browse by last name broken by extended attributes 2015-02-12 15:35:07 -03:00
plugins Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
reports Bug 11944: Remove bad FIXME in guided_report 2015-01-13 13:07:31 -03:00
reserve Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
reviews Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
rotating_collections Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
selenium Adding selenium tests for filterMembers 2009-09-30 11:30:37 +02:00
serials Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
services Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
skel Bug 11078: Add locking to rebuild_zebra 2014-02-28 22:21:41 +00:00
sms Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
suggestion Bug 13731: Suggestions reason does not save on updating the status 2015-03-02 15:47:24 +01:00
svc Bug 11395: New service to preview a record. 2015-03-05 15:27:03 +01:00
t Bug 12122: TransferSlip should accept both itemnumber and barcode 2015-03-05 11:47:12 +01:00
tags Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
test Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
tmp/modified_authorities changing DO_NOT_REMOVE to README.txt 2007-10-21 19:14:41 -05:00
tools Bug 11395: exit should be done after displaying the output 2015-03-05 15:27:17 +01:00
virtualshelves Bug 13343: Embed items when send a basket/shelf 2015-02-12 15:33:11 -03:00
xt Bug 13199: follow up to fix Licence and some koha-qa errors 2014-11-20 09:47:54 -03:00
.editorconfig Bug 12545: Add EditorConfig.org file to the source tree 2014-08-22 11:07:45 -03:00
.htaccess Fix file permissions: if it is not a script, it should not be executable. 2010-04-16 00:40:34 -04:00
.mailmap Bug 13314: Follow-up for m.de.rooy in .mailmap 2014-11-26 11:16:18 -03:00
about.pl Bug 13404 [QA Followup] 2015-02-09 13:42:32 -03:00
changelanguage.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
edithelp.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
fix-perl-path.PL installer: improvements to fix-path-perl.PL on Win32 2007-12-20 19:20:12 -06:00
help.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
INSTALL Bug 7759, update of install files to use background indexing (and some whitespace tidy) 2012-04-20 16:11:52 +02:00
install-CPAN.pl Bug 5370: Fix all the references to koha.org 2010-11-08 09:41:49 +13:00
INSTALL.debian Bug 8092 follow-up: Add optional dependency on CHI 2012-06-09 13:08:18 +02:00
INSTALL.fedora7 Bug 11757: remove dependency on POE 2014-02-15 01:38:15 +00:00
INSTALL.opensuse Bug 11757: remove dependency on POE 2014-02-15 01:38:15 +00:00
INSTALL.ubuntu Bug 7764: (follow-up) editorial tweaks 2013-10-04 16:27:55 +00:00
koha_perl_deps.pl bug 10548: fix count of missing required dependencies by koha_perl_deps.pl 2013-07-11 14:03:32 +00:00
kohaversion.pl Bug 11395: DBRev 3.19.00.013 2015-03-05 15:49:25 +01:00
LICENSE Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
mainpage.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
Makefile.PL Bug 11927 - Add gr install option 2015-01-21 10:58:58 -03:00
MANIFEST.SKIP Bug 9546 : Updating make manifest tardist 2013-02-06 23:54:46 -05:00
README Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
README.robots Bug 6411 add another example to README.robots 2011-07-05 14:48:05 +12:00
rewrite-config.PL Bug 12031: [QA Follow-up] Undefined routine and change to koha-conf.xml 2014-10-27 10:38:11 -03:00

README 

Koha is a free software integrated library system.

Koha is distributed under the GNU GPL version 3 or later.
Please read the file LICENSE for more details.

To install or upgrade Koha, please see the INSTALL file appropriate
to your platform.

Report bugs at http://bugs.koha-community.org/

Visit the Koha Project website at http://www.koha-community.org/