From 863938f16c6e9840c194a05717da1831c9054266 Mon Sep 17 00:00:00 2001
From: Srdjan Jankovic <srdjan@catalyst.net.nz>
Date: Wed, 24 Feb 2010 13:41:24 +1300
Subject: [PATCH] Escape input that goes in HTML; Reworked search history
 insert SQL

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
---
 C4/Auth.pm                                    | 46 ++++++++-----------
 .../intranet-tmpl/prog/en/modules/auth.tmpl   |  2 +-
 .../prog/en/modules/catalogue/results.tmpl    |  8 ++--
 .../prog/en/modules/catalogue/subject.tmpl    |  4 +-
 .../prog/en/modules/installer/auth.tmpl       |  2 +-
 .../opac-tmpl/prog/en/modules/opac-auth.tmpl  |  2 +-
 .../prog/en/modules/opac-results-grouped.tmpl |  4 +-
 .../prog/en/modules/opac-results.tmpl         |  4 +-
 .../prog/en/modules/sco/sco-main.tmpl         |  2 +-
 9 files changed, 34 insertions(+), 40 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 0ac74a9f1d..2ed737096b 100755
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -121,6 +121,10 @@ C4::Auth - Authenticates Koha users
 
 =cut
 
+my $SERCH_HISTORY_INSERT_SQL =<<EOQ;
+INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, total, time            )
+VALUES                    (     ?,         ?,          ?,         ?,     ?, FROM_UNIXTIME(?))
+EOQ
 sub get_template_and_user {
     my $in       = shift;
     my $template =
@@ -251,31 +255,19 @@ sub get_template_and_user {
 
 			# And if there's a cookie with searches performed when the user was not logged in, 
 			# we add them to the logged-in search history
-			my @recentSearches;
 			my $searchcookie = $in->{'query'}->cookie('KohaOpacRecentSearches');
 			if ($searchcookie){
 				$searchcookie = uri_unescape($searchcookie);
-				if (thaw($searchcookie)) {
-					@recentSearches = @{thaw($searchcookie)};
-				}
-
-				if (@recentSearches > 0) {
-					my $query = "INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, total, time) VALUES";
-					my $icount = 1;
-					foreach my $asearch (@recentSearches) {
-						$query .= "(";
-						$query .= $borrowernumber . ", ";
-						$query .= '"' . $in->{'query'}->cookie("CGISESSID") . "\", ";
-						$query .= '"' . $asearch->{'query_desc'} . "\", ";
-						$query .= '"' . $asearch->{'query_cgi'} . "\", ";
-						$query .=       $asearch->{'total'} . ", ";
-						$query .= 'FROM_UNIXTIME(' . $asearch->{'time'} . "))";
-						if ($icount < @recentSearches) { $query .= ", ";}
-						$icount++;
-					}
-
-					my $sth = $dbh->prepare($query);
-					$sth->execute;
+			        my @recentSearches = @{thaw($searchcookie) || []};
+				if (@recentSearches) {
+					my $sth = $dbh->prepare($SERCH_HISTORY_INSERT_SQL);
+					$sth->execute( $borrowernumber,
+						       $in->{'query'}->cookie("CGISESSID"),
+						       $_->{'query_desc'},
+						       $_->{'query_cgi'},
+						       $_->{'total'},
+						       $_->{'time'},
+                                        ) foreach @recentSearches;
 
 					# And then, delete the cookie's content
 					my $newsearchcookie = $in->{'query'}->cookie(
@@ -314,11 +306,13 @@ sub get_template_and_user {
     }
  	# Anonymous opac search history
  	# If opac search history is enabled and at least one search has already been performed
- 	if (C4::Context->preference('EnableOpacSearchHistory') && $in->{'query'}->cookie('KohaOpacRecentSearches')) {
+ 	if (C4::Context->preference('EnableOpacSearchHistory')) {
+		my $searchcookie = $in->{'query'}->cookie('KohaOpacRecentSearches');
+		if ($searchcookie){
+			$searchcookie = uri_unescape($searchcookie);
+		        my @recentSearches = @{thaw($searchcookie) || []};
  	    # We show the link in opac
- 	    if (thaw(uri_unescape($in->{'query'}->cookie('KohaOpacRecentSearches')))) {
-			my @recentSearches = @{thaw(uri_unescape($in->{'query'}->cookie('KohaOpacRecentSearches')))};
-			if (@recentSearches > 0) {
+			if (@recentSearches) {
 				$template->param(ShowOpacRecentSearchLink => 1);
 			}
 	    }
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl
index b3d1f4ca26..5867f6daad 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl
@@ -39,7 +39,7 @@
 <form action="<!-- TMPL_VAR NAME="url" -->" method="post" name="loginform" id="loginform">
     <input type="hidden" name="koha_login_context" value="intranet" />
 <!-- TMPL_LOOP NAME="INPUTS" -->
-    <input type="hidden" name="<!-- TMPL_VAR NAME="name" -->" value="<!-- TMPL_VAR NAME="value" ESCAPE="html" -->" />
+    <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="name" -->" value="<!-- TMPL_VAR NAME="value" ESCAPE="html" -->" />
 <!-- /TMPL_LOOP -->
 <p><label for="userid">Username:</label>
 <input type="text" name="userid" id="userid" class="input focus" value="<!-- TMPL_VAR NAME="userid" -->" size="20" tabindex="1" />
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tmpl
index 9dbfe4a6fc..b81970a3ba 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tmpl
@@ -207,10 +207,10 @@ function GetZ3950Terms(){
             <form action="/cgi-bin/koha/catalogue/search.pl" method="get" id="sortbyform">
                 <!-- TMPL_IF NAME="searchdesc" -->
                     <!-- TMPL_LOOP NAME="QUERY_INPUTS"-->
-                    <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+                    <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
                     <!-- /TMPL_LOOP -->
                     <!-- TMPL_LOOP NAME="LIMIT_INPUTS"-->
-                    <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+                    <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
                     <!-- /TMPL_LOOP -->
                 <!-- /TMPL_IF -->
                 <!-- RE-SORT START -->
@@ -363,10 +363,10 @@ function GetZ3950Terms(){
                 <form action="/cgi-bin/koha/catalogue/search.pl" method="get" name="bookbag_form" id="bookbag_form">
                 <!-- TMPL_IF NAME="searchdesc" -->
                 <!-- TMPL_LOOP NAME="QUERY_INPUTS"-->
-                <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+                <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
                 <!-- /TMPL_LOOP -->
                 <!-- TMPL_LOOP NAME="LIMIT_INPUTS"-->
-                <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+                <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
                 <!-- /TMPL_LOOP -->
                 <!-- /TMPL_IF -->
 
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/subject.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/subject.tmpl
index aceb40c03d..6ba5005ecc 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/subject.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/subject.tmpl
@@ -33,7 +33,7 @@
 	</tr>
 <!-- /TMPL_LOOP -->
 </table>
-<p><a  class="button" href="search.pl?<!-- TMPL_LOOP NAME="FORMINPUTS" --><!-- TMPL_VAR NAME="line" -->&amp;<!-- /TMPL_LOOP -->startfrom=<!-- TMPL_VAR NAME="prevstartfrom" -->">Previous Records</a> <a class="button" href="search.pl?<!-- TMPL_LOOP NAME="FORMINPUTS" --><!-- TMPL_VAR NAME="line" -->&amp;<!-- /TMPL_LOOP -->startfrom=<!-- TMPL_VAR NAME="nextstartfrom" -->">Next Records</a></p>
+<p><a  class="button" href="search.pl?<!-- TMPL_LOOP NAME="FORMINPUTS" --><!-- TMPL_VAR ESCAPE=URL NAME="line" -->&amp;<!-- /TMPL_LOOP -->startfrom=<!-- TMPL_VAR NAME="prevstartfrom" -->">Previous Records</a> <a class="button" href="search.pl?<!-- TMPL_LOOP NAME="FORMINPUTS" --><!-- TMPL_VAR NAME="line" -->&amp;<!-- /TMPL_LOOP -->startfrom=<!-- TMPL_VAR NAME="nextstartfrom" -->">Next Records</a></p>
 
 </div>
 
@@ -43,4 +43,4 @@
 <!-- TMPL_INCLUDE NAME="cat-menu.inc" -->
 </div>
 </div>
-<!-- TMPL_INCLUDE NAME="intranet-bottom.inc" -->
\ No newline at end of file
+<!-- TMPL_INCLUDE NAME="intranet-bottom.inc" -->
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tmpl
index 0cb8092f8a..5335bec240 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tmpl
@@ -30,7 +30,7 @@
 <!-- login prompt time-->
 <form action="<!-- TMPL_VAR NAME="url" -->" method="post" name="mainform" id="mainform">
 <!-- TMPL_LOOP NAME="INPUTS" -->
-    <input type="hidden" name="<!-- TMPL_VAR NAME="name" -->" value="<!-- TMPL_VAR NAME="value" -->" />
+    <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="value" -->" />
 <!-- /TMPL_LOOP -->
 <h3>Welcome to the Koha Web Installer</h3>
 <p>Before we begin, please verify you have the correct credentials to continue. Please log in
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl
index 161b0820af..ec569cd95f 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl
@@ -56,7 +56,7 @@
 <form action="<!-- TMPL_VAR NAME="url" -->" name="auth" id="auth" method="post">
   <input type="hidden" name="koha_login_context" value="opac" />
 <fieldset class="brief"><!-- TMPL_LOOP NAME="INPUTS" -->
-  <input type="hidden" name="<!-- TMPL_VAR NAME="name" -->" value="<!-- TMPL_VAR NAME="value" -->" />
+  <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="value" -->" />
 <!-- /TMPL_LOOP -->
 <ol>
 <li><label for="userid">Login</label>
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tmpl
index 0162ccb2a8..1d5e8f1913 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tmpl
@@ -168,10 +168,10 @@ function highlightOn() {
 	<form action="/cgi-bin/koha/opac-search.pl" method="get" name="bookbag_form" id="bookbag_form">
 		<!-- TMPL_IF NAME="searchdesc" -->
 		<!-- TMPL_LOOP NAME="QUERY_INPUTS"-->
-		<input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+		<input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
 		<!-- /TMPL_LOOP -->
 		<!-- TMPL_LOOP NAME="LIMIT_INPUTS"-->
-		<input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+		<input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
 		<!-- /TMPL_LOOP -->
 		<!-- /TMPL_IF -->
 
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tmpl
index b01ba42b2a..967e79015c 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tmpl
@@ -315,10 +315,10 @@ $(document).ready(function(){
 	<form action="/cgi-bin/koha/opac-search.pl" method="get" name="bookbag_form" id="bookbag_form">
 		<!-- TMPL_IF NAME="searchdesc" -->
 		<!-- TMPL_LOOP NAME="QUERY_INPUTS"-->
-		<input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+		<input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
 		<!-- /TMPL_LOOP -->
 		<!-- TMPL_LOOP NAME="LIMIT_INPUTS"-->
-		<input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+		<input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
 		<!-- /TMPL_LOOP -->
 		<!-- /TMPL_IF -->
 
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/sco/sco-main.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/sco/sco-main.tmpl
index 0ac11f5f39..64e9dc39f4 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/sco/sco-main.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/sco/sco-main.tmpl
@@ -230,7 +230,7 @@ Sorry, This Self-Checkout Station has lost authentication.  Please contact the a
 	<fieldset class="checkout"><label for="patronid">Please enter your card number:</label> 
 	<input type="text" id="patronid" class="focus" size="20" name="patronid" />
 
- 	<!-- TMPL_LOOP NAME="INPUTS" --><input type="hidden" name="<!-- TMPL_VAR NAME="name" -->" value="<!-- TMPL_VAR NAME="value" -->"><!-- /TMPL_LOOP -->
+ 	<!-- TMPL_LOOP NAME="INPUTS" --><input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="value" -->"><!-- /TMPL_LOOP -->
 	<input type="hidden" name="op" value="login" />
  	<input type="submit" value="Submit" class="submit" /></fieldset></form>
 	</div>
-- 
2.39.5