From 951b857a970e02cc10bf1b5a31005e8eccc96eaf Mon Sep 17 00:00:00 2001 From: Andrew Isherwood Date: Tue, 23 Apr 2019 10:18:31 +0100 Subject: [PATCH] Bug 21460: (follow-up) Filter params in .pl This patch filters the passed parameters in the .pl, rather than doing it in the template. As per comment 16 (https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21460#c16) Signed-off-by: Josef Moravec Signed-off-by: Nick Clemens --- ill/ill-requests.pl | 21 ++++++++++++------- .../prog/en/modules/ill/ill-requests.tt | 2 +- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/ill/ill-requests.pl b/ill/ill-requests.pl index 45f99c2ca3..57b0692dd4 100755 --- a/ill/ill-requests.pl +++ b/ill/ill-requests.pl @@ -30,6 +30,7 @@ use Koha::Libraries; use Koha::Token; use Try::Tiny; +use URI::Escape; our $cgi = CGI->new; my $illRequests = Koha::Illrequests->new; @@ -270,18 +271,24 @@ if ( $backends_available ) { # If we receive a pre-filter, make it available to the template my $possible_filters = ['borrowernumber']; - my $active_filters = []; + my $active_filters = {}; foreach my $filter(@{$possible_filters}) { if ($params->{$filter}) { - push @{$active_filters}, "$filter=$params->{$filter}"; + # We shouldn't need to escape $filter here since we're using + # a whitelist, but just to be sure... + $active_filters->{uri_escape_utf8($filter)} = + uri_escape_utf8(scalar $params->{$filter}); } } - if (scalar @{$active_filters} > 0) { - $template->param( - prefilters => join(",", @{$active_filters}) - ); + if (keys %{$active_filters}) { + my @tpl_arr; + foreach my $key (keys %{$active_filters}) { + push @tpl_arr, $key . "=" . $active_filters->{$key}; + } } - + $template->param( + prefilters => join("&", @tpl_arr) + ); } elsif ( $op eq "save_comment" ) { die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ session_id => scalar $cgi->cookie('CGISESSID'), diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt index ce73bacbbc..8feeccbc65 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt @@ -527,7 +527,7 @@ [% INCLUDE 'calendar.inc' %] [% Asset.js("lib/jquery/plugins/jquery.checkboxes.min.js") | $raw %] -- 2.39.5