From c98d6f14ee588e5648c97ad75dfa07d0a719739f Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 3 Apr 2020 13:52:12 +0200 Subject: [PATCH] Bug 4461: Correctly deal with encoding/escaping chars MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patch deals (hopefully) correctly with encoding and escaping chars. It also remove OPACBaseURL from the url stored in DB, and readd is on display, to avoid possible attacks. Test plan: Go to the authority search fill term with something hacky And Ŝ♥m€ E★tr₳ Search Click the "Report a problem" link Fill the form and make sure the url is displayed correctly submit Check problem_reports.problempage in DB => Should be correctly displayed Go to staff interface, "OPAC problem reports" => Confirm the link is correctly display Click it => Confirm that you are at the OPAC, and the URL is correct Signed-off-by: Jonathan Druart Signed-off-by: Martin Renvoize --- .../prog/en/modules/admin/problem-reports.tt | 4 ++-- .../opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt | 6 +++--- opac/opac-reportproblem.pl | 8 ++++++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/problem-reports.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/problem-reports.tt index 6c7080f3ff..b2e0ea5a08 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/problem-reports.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/problem-reports.tt @@ -79,8 +79,8 @@ [% report.title | html %]
[% report.content | html %] - [% report.problempage | html %] - [% report.recipient %] + [% OPACBaseURL | url %][% report.problempage | html %] + [% report.recipient | html %] [% report.created_on | $KohaDates with_hours => 1 %] [% INCLUDE 'patron-title.inc' patron => report.patron hide_patron_infos_if_needed=1 %] [% report.status | html %] diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt index b866967a90..efae1019a2 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reportproblem.tt @@ -37,7 +37,7 @@ [% ELSE %] Your problem report has been sent to the library. [% END %] - [% CASE 'error_on_send' %][#% We really should avoid reaching this! %] + [% CASE 'error_on_send' #We really should avoid reaching this! %] Something wrong happened when sending the report. Please contact your library. [% END %] @@ -62,8 +62,8 @@
  • - - [% problempage | html %] + + [% problempage | html %]
  • diff --git a/opac/opac-reportproblem.pl b/opac/opac-reportproblem.pl index 7e62f75c65..2abce15c1f 100755 --- a/opac/opac-reportproblem.pl +++ b/opac/opac-reportproblem.pl @@ -28,6 +28,8 @@ use Koha::ProblemReport; use Koha::Libraries; use Koha::Patrons; use Koha::Util::Navigation; +use URI::Escape; +use Encode; my $input = new CGI; @@ -46,7 +48,8 @@ if ( !C4::Context->preference('OPACReportProblem') print $input->redirect("/cgi-bin/koha/errors/404.pl"); } -my $problempage = C4::Context->preference('OPACBaseURL') . Koha::Util::Navigation::local_referer($input ); +my $referer = Koha::Util::Navigation::local_referer($input ); +$referer = Encode::decode_utf8 uri_unescape $referer, my $patron = Koha::Patrons->find($borrowernumber); my $username = $patron->userid; @@ -56,7 +59,7 @@ my @messages; $template->param( username => $username, - problempage => $problempage, + problempage => $referer, library => $library, ); @@ -66,6 +69,7 @@ if ( $op eq 'addreport' ) { my $subject = $input->param('subject'); my $message = $input->param('message'); my $problempage = $input->param('problempage'); + $problempage = Encode::decode_utf8 uri_unescape $problempage; my $recipient = $input->param('recipient') || 'admin'; try { -- 2.39.5