From 1c26397b435b5fb538af4b6b6e8f6d6b9aae1c62 Mon Sep 17 00:00:00 2001 From: David Cook Date: Wed, 8 Nov 2023 23:39:45 +0000 Subject: [PATCH] Bug 35290: Sanitize field input on cataloguing/ysearch.pl This change sanitizies the field input on cataloguing/ysearch.pl Test plan: 0. Apply the patch and restart/reload Koha 1a. "Add marc21_field_260b.pl plugin to 260$b in the Default framework" 1b. Go to http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl? op=add_form&tagfield=260&frameworkcode=#subbfield 1c. Choose "marc21_field_260b.pl" from the dropdown next to "Plugin" 1d. Click "Save changes" 2a. "Add new record" 2b. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?frameworkcode= 3. Click on tab "2" and scroll down to 260 "b" 4. Type in "Ori" into 260 subfield b 5. Some autocomplete suggestions should appear Signed-off-by: Owen Leonard Signed-off-by: Nick Clemens Signed-off-by: Jonathan Druart --- cataloguing/ysearch.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cataloguing/ysearch.pl b/cataloguing/ysearch.pl index 7216d559b0..609f4cb0b1 100755 --- a/cataloguing/ysearch.pl +++ b/cataloguing/ysearch.pl @@ -37,7 +37,8 @@ my $table = $input->param('table'); my $field = $input->param('field'); # Prevent from disclosing data -die() unless ($table eq "biblioitems"); +die() unless ($table eq "biblioitems"); +die() unless ($field eq 'publishercode' || $field eq 'collectiontitle'); binmode STDOUT, ":encoding(UTF-8)"; print $input->header( -type => 'text/plain', -charset => 'UTF-8' ); -- 2.39.5