From 552873f7d466abee6919414b8d2f5e6c99f9a44f Mon Sep 17 00:00:00 2001 From: Andrew Isherwood Date: Tue, 15 May 2018 16:00:02 +0100 Subject: [PATCH] Bug 20770: ILL loans OPAC form notes field allow arbitrary input This patch addresses the lack of sanitization of the "notes" field on the OPAC "View Interlibrary loan request" page. To test: - Apply the patch - As an OPAC user, create an ILL request - Navigate to the request's "View Interlibrary loan request" page - Add the following note: Hello

TESTING

- Click "Submit modifications" - TEST: Observe, when the page reloads, only the following is preserved in the "Notes" textarea: Hello TESTING - As a staff user, naviate to the ILL requests table - Select "Manage request" for the request you created - TEST: Observe that the Notes field only contains: Hello TESTING - TEST: Observe that no Javascript alert is displayed Signed-off-by: Mark Tompsett Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi --- koha-tmpl/intranet-tmpl/prog/css/staff-global.css | 4 ++++ koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt | 4 ++-- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/css/staff-global.css b/koha-tmpl/intranet-tmpl/prog/css/staff-global.css index f5ea1af08e..d05c74b352 100644 --- a/koha-tmpl/intranet-tmpl/prog/css/staff-global.css +++ b/koha-tmpl/intranet-tmpl/prog/css/staff-global.css @@ -3192,6 +3192,10 @@ fieldset.rows + fieldset.action { line-height: 1.3em; } +#ill-view-panel .notesopac { + display: inline-block; +} + table#ill-requests { width: 100% !important; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt index db5b77c61f..b869b5f524 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt @@ -452,7 +452,7 @@
  • - +
  • @@ -554,7 +554,7 @@
    Notes: -
    [% request.notesopac %]
    +
    [% request.notesopac | html %]
    diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt index 073f8d31a4..e9632c92dd 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt @@ -179,9 +179,9 @@
  • [% IF !request.completed %] - + [% ELSE %] - [% request.notesopac %] + [% request.notesopac | html %] [% END %]
  • -- 2.39.5