From cdcfce4c6c1c6ad9018e620f6e8f6450c93d1900 Mon Sep 17 00:00:00 2001 From: Andrew Isherwood Date: Tue, 15 May 2018 16:00:02 +0100 Subject: [PATCH] Bug 20770: ILL loans OPAC form notes field allow arbitrary input This patch addresses the lack of sanitization of the "notes" field on the OPAC "View Interlibrary loan request" page. To test: - Apply the patch - As an OPAC user, create an ILL request - Navigate to the request's "View Interlibrary loan request" page - Add the following note: Hello

TESTING

- Click "Submit modifications" - TEST: Observe, when the page reloads, only the following is preserved in the "Notes" textarea: Hello TESTING - As a staff user, naviate to the ILL requests table - Select "Manage request" for the request you created - TEST: Observe that the Notes field only contains: Hello TESTING - TEST: Observe that no Javascript alert is displayed Signed-off-by: Mark Tompsett Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 552873f7d466abee6919414b8d2f5e6c99f9a44f) Signed-off-by: Martin Renvoize (cherry picked from commit cc81442349cb07afe242607f2c40acb62e4e76fb) Signed-off-by: Fridolin Somers --- koha-tmpl/intranet-tmpl/prog/css/staff-global.css | 4 ++++ koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt | 4 ++-- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/css/staff-global.css b/koha-tmpl/intranet-tmpl/prog/css/staff-global.css index d71e8cc33c..ee7ab4b35a 100644 --- a/koha-tmpl/intranet-tmpl/prog/css/staff-global.css +++ b/koha-tmpl/intranet-tmpl/prog/css/staff-global.css @@ -3140,6 +3140,10 @@ fieldset.rows + fieldset.action { width: auto; } +#ill-view-panel .notesopac { + display: inline-block; +} + table#ill-requests { width: 100% !important; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt index 134931577c..e7e0372b58 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt @@ -451,7 +451,7 @@
  • - +
  • @@ -549,7 +549,7 @@
    Notes: -
    [% request.notesopac %]
    +
    [% request.notesopac | html %]
    diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt index ae9b918290..81fd2ba81e 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt @@ -166,9 +166,9 @@
  • [% IF !request.completed %] - + [% ELSE %] - [% request.notesopac %] + [% request.notesopac | html %] [% END %]
  • -- 2.39.5