From 5cbaec63a382727970c41f6c7449ab1f97087eac Mon Sep 17 00:00:00 2001 From: =?utf8?q?Micha=C5=82=20Kula?= <148193449+mkibp@users.noreply.github.com> Date: Mon, 23 Oct 2023 15:51:40 +0200 Subject: [PATCH] Bug 35072: Fix invalid usage of "&" in JavaScript intranet-tmpl script redirects These escapes were invalid in these places, as HTML entity escapes are meant to be used only inside of HTML elements/attributes, not inside of JavaScript code. These URLs would be sent out by the browser as-is, and that'd usually work on the default install only coincidentally. Unfortunately, on some setups (such as when using reverse proxies), this would break, and the URL after "&" would have been truncated. This small patch adjusts the URLs in templates to not use wrong escapes, and makes them consistent with how URLs are formatted for JavaScript redirects in most of the templates already. Signed-off-by: Owen Leonard Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi (cherry picked from commit da9f74e56aa3fcaab2a53f0211113d7600263806) Signed-off-by: Fridolin Somers (cherry picked from commit 37eb3092c19361c88ab0442219cd523832b24d2f) Signed-off-by: Matt Blenkinsop --- koha-tmpl/intranet-tmpl/prog/js/cart.js | 2 +- koha-tmpl/intranet-tmpl/prog/js/catalog.js | 4 ++-- koha-tmpl/intranet-tmpl/prog/js/holds.js | 2 +- koha-tmpl/intranet-tmpl/prog/js/members-menu.js | 6 +++--- koha-tmpl/intranet-tmpl/prog/js/pages/results.js | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/js/cart.js b/koha-tmpl/intranet-tmpl/prog/js/cart.js index ca81042c29..f66a021047 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/cart.js +++ b/koha-tmpl/intranet-tmpl/prog/js/cart.js @@ -54,7 +54,7 @@ function batchModify(){ var bib = $(this).val(); bibs += bib + "/"; }); - newloc = "/cgi-bin/koha/tools/batch_record_modification.pl?op=list&bib_list=" + bibs + "&type=biblio"; + newloc = "/cgi-bin/koha/tools/batch_record_modification.pl?op=list&bib_list=" + bibs + "&type=biblio"; window.opener.location = newloc; window.close(); diff --git a/koha-tmpl/intranet-tmpl/prog/js/catalog.js b/koha-tmpl/intranet-tmpl/prog/js/catalog.js index 072680afce..a150ad7072 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/catalog.js +++ b/koha-tmpl/intranet-tmpl/prog/js/catalog.js @@ -51,7 +51,7 @@ function confirm_deletion(link) { } if (is_confirmed) { $("#deletebiblio").unbind('click'); - window.location="/cgi-bin/koha/cataloguing/addbiblio.pl?op=delete&biblionumber=" + biblionumber + (searchid ? "&searchid="+searchid : ""); + window.location="/cgi-bin/koha/cataloguing/addbiblio.pl?op=delete&biblionumber=" + biblionumber + (searchid ? "&searchid="+searchid : ""); } else { return false; } @@ -66,7 +66,7 @@ function confirm_items_deletion() { alert(__("%s hold(s) on this record. You must delete all holds before deleting all items.").format(holdcount)); } else if ( count > 0 ) { if (confirm(__("Are you sure you want to delete the %s attached items?").format(count))) { - window.location="/cgi-bin/koha/cataloguing/additem.pl?op=delallitems&biblionumber=" + biblionumber + (searchid ? "&searchid="+searchid : ""); + window.location="/cgi-bin/koha/cataloguing/additem.pl?op=delallitems&biblionumber=" + biblionumber + (searchid ? "&searchid="+searchid : ""); } else { return false; } diff --git a/koha-tmpl/intranet-tmpl/prog/js/holds.js b/koha-tmpl/intranet-tmpl/prog/js/holds.js index 533847fa8d..6a156f8585 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/holds.js +++ b/koha-tmpl/intranet-tmpl/prog/js/holds.js @@ -442,7 +442,7 @@ $(document).ready(function() { let reserve_id = $(this).data('reserve-id'); let biblionumber = $(this).data('biblionumber'); let suspend_until = $('#suspend_until_' + reserve_id).val(); - window.location.href='request.pl?action=toggleSuspend&reserve_id=' + reserve_id + '&biblionumber=' + biblionumber + '&suspend_until=' + suspend_until; + window.location.href='request.pl?action=toggleSuspend&reserve_id=' + reserve_id + '&biblionumber=' + biblionumber + '&suspend_until=' + suspend_until; return false; }); }); diff --git a/koha-tmpl/intranet-tmpl/prog/js/members-menu.js b/koha-tmpl/intranet-tmpl/prog/js/members-menu.js index b020966e58..c19650b6a9 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/members-menu.js +++ b/koha-tmpl/intranet-tmpl/prog/js/members-menu.js @@ -145,16 +145,16 @@ function update_child() { function confirm_reregistration() { var is_confirmed = window.confirm( __("Are you sure you want to renew this patron's registration?") ); if (is_confirmed) { - window.location = '/cgi-bin/koha/members/setstatus.pl?borrowernumber=' + borrowernumber + '&destination=' + destination + '&reregistration=y'; + window.location = '/cgi-bin/koha/members/setstatus.pl?borrowernumber=' + borrowernumber + '&destination=' + destination + '&reregistration=y'; } } function export_barcodes() { - window.open('/cgi-bin/koha/members/readingrec.pl?borrowernumber=' + borrowernumber + '&op=export_barcodes'); + window.open('/cgi-bin/koha/members/readingrec.pl?borrowernumber=' + borrowernumber + '&op=export_barcodes'); } var slip_re = /slip/; function printx_window(print_type) { var handler = print_type.match(slip_re) ? "printslip" : "summary-print"; - window.open("/cgi-bin/koha/members/" + handler + ".pl?borrowernumber=" + borrowernumber + "&print=" + print_type, "printwindow"); + window.open("/cgi-bin/koha/members/" + handler + ".pl?borrowernumber=" + borrowernumber + "&print=" + print_type, "printwindow"); return false; } function searchToHold(){ diff --git a/koha-tmpl/intranet-tmpl/prog/js/pages/results.js b/koha-tmpl/intranet-tmpl/prog/js/pages/results.js index 8ce456e3fd..d6b1ce5c4b 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/pages/results.js +++ b/koha-tmpl/intranet-tmpl/prog/js/pages/results.js @@ -434,7 +434,7 @@ function resultsBatchProcess( op ){ selected.each(function() { params.push( $(this).val() ); }); - url = "/cgi-bin/koha/tools/batch_record_modification.pl?op=list&bib_list=" + params.join("/"); + url = "/cgi-bin/koha/tools/batch_record_modification.pl?op=list&bib_list=" + params.join("/"); location.href = url; } } else if( op == "delete" ){ -- 2.39.5