From da9f74e56aa3fcaab2a53f0211113d7600263806 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Micha=C5=82=20Kula?= <148193449+mkibp@users.noreply.github.com> Date: Mon, 23 Oct 2023 15:51:40 +0200 Subject: [PATCH] Bug 35072: Fix invalid usage of "&" in JavaScript intranet-tmpl script redirects These escapes were invalid in these places, as HTML entity escapes are meant to be used only inside of HTML elements/attributes, not inside of JavaScript code. These URLs would be sent out by the browser as-is, and that'd usually work on the default install only coincidentally. Unfortunately, on some setups (such as when using reverse proxies), this would break, and the URL after "&" would have been truncated. This small patch adjusts the URLs in templates to not use wrong escapes, and makes them consistent with how URLs are formatted for JavaScript redirects in most of the templates already. Signed-off-by: Owen Leonard Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi --- koha-tmpl/intranet-tmpl/prog/js/cart.js | 2 +- koha-tmpl/intranet-tmpl/prog/js/catalog.js | 4 ++-- koha-tmpl/intranet-tmpl/prog/js/holds.js | 2 +- koha-tmpl/intranet-tmpl/prog/js/members-menu.js | 6 +++--- koha-tmpl/intranet-tmpl/prog/js/pages/results.js | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/js/cart.js b/koha-tmpl/intranet-tmpl/prog/js/cart.js index ca81042c29..f66a021047 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/cart.js +++ b/koha-tmpl/intranet-tmpl/prog/js/cart.js @@ -54,7 +54,7 @@ function batchModify(){ var bib = $(this).val(); bibs += bib + "/"; }); - newloc = "/cgi-bin/koha/tools/batch_record_modification.pl?op=list&bib_list=" + bibs + "&type=biblio"; + newloc = "/cgi-bin/koha/tools/batch_record_modification.pl?op=list&bib_list=" + bibs + "&type=biblio"; window.opener.location = newloc; window.close(); diff --git a/koha-tmpl/intranet-tmpl/prog/js/catalog.js b/koha-tmpl/intranet-tmpl/prog/js/catalog.js index 09eb2fe550..8a3694fb8d 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/catalog.js +++ b/koha-tmpl/intranet-tmpl/prog/js/catalog.js @@ -52,7 +52,7 @@ function confirm_deletion(link) { } if (is_confirmed) { $("#deletebiblio").unbind('click'); - window.location="/cgi-bin/koha/cataloguing/addbiblio.pl?op=delete&biblionumber=" + biblionumber + (searchid ? "&searchid="+searchid : ""); + window.location="/cgi-bin/koha/cataloguing/addbiblio.pl?op=delete&biblionumber=" + biblionumber + (searchid ? "&searchid="+searchid : ""); } else { return false; } @@ -67,7 +67,7 @@ function confirm_items_deletion() { alert(__("%s hold(s) on this record. You must delete all holds before deleting all items.").format(holdcount)); } else if ( count > 0 ) { if (confirm(__("Are you sure you want to delete the %s attached items?").format(count))) { - window.location="/cgi-bin/koha/cataloguing/additem.pl?op=delallitems&biblionumber=" + biblionumber + (searchid ? "&searchid="+searchid : ""); + window.location="/cgi-bin/koha/cataloguing/additem.pl?op=delallitems&biblionumber=" + biblionumber + (searchid ? "&searchid="+searchid : ""); } else { return false; } diff --git a/koha-tmpl/intranet-tmpl/prog/js/holds.js b/koha-tmpl/intranet-tmpl/prog/js/holds.js index afafcf89dd..50dce1ddd3 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/holds.js +++ b/koha-tmpl/intranet-tmpl/prog/js/holds.js @@ -450,7 +450,7 @@ $(document).ready(function() { let reserve_id = $(this).data('reserve-id'); let biblionumber = $(this).data('biblionumber'); let suspend_until = $('#suspend_until_' + reserve_id).val(); - window.location.href='request.pl?action=toggleSuspend&reserve_id=' + reserve_id + '&biblionumber=' + biblionumber + '&suspend_until=' + suspend_until; + window.location.href='request.pl?action=toggleSuspend&reserve_id=' + reserve_id + '&biblionumber=' + biblionumber + '&suspend_until=' + suspend_until; return false; }); }); diff --git a/koha-tmpl/intranet-tmpl/prog/js/members-menu.js b/koha-tmpl/intranet-tmpl/prog/js/members-menu.js index b020966e58..c19650b6a9 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/members-menu.js +++ b/koha-tmpl/intranet-tmpl/prog/js/members-menu.js @@ -145,16 +145,16 @@ function update_child() { function confirm_reregistration() { var is_confirmed = window.confirm( __("Are you sure you want to renew this patron's registration?") ); if (is_confirmed) { - window.location = '/cgi-bin/koha/members/setstatus.pl?borrowernumber=' + borrowernumber + '&destination=' + destination + '&reregistration=y'; + window.location = '/cgi-bin/koha/members/setstatus.pl?borrowernumber=' + borrowernumber + '&destination=' + destination + '&reregistration=y'; } } function export_barcodes() { - window.open('/cgi-bin/koha/members/readingrec.pl?borrowernumber=' + borrowernumber + '&op=export_barcodes'); + window.open('/cgi-bin/koha/members/readingrec.pl?borrowernumber=' + borrowernumber + '&op=export_barcodes'); } var slip_re = /slip/; function printx_window(print_type) { var handler = print_type.match(slip_re) ? "printslip" : "summary-print"; - window.open("/cgi-bin/koha/members/" + handler + ".pl?borrowernumber=" + borrowernumber + "&print=" + print_type, "printwindow"); + window.open("/cgi-bin/koha/members/" + handler + ".pl?borrowernumber=" + borrowernumber + "&print=" + print_type, "printwindow"); return false; } function searchToHold(){ diff --git a/koha-tmpl/intranet-tmpl/prog/js/pages/results.js b/koha-tmpl/intranet-tmpl/prog/js/pages/results.js index e46daf26c7..511dc7d1c1 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/pages/results.js +++ b/koha-tmpl/intranet-tmpl/prog/js/pages/results.js @@ -434,7 +434,7 @@ function resultsBatchProcess( op ){ selected.each(function() { params.push( $(this).val() ); }); - url = "/cgi-bin/koha/tools/batch_record_modification.pl?op=list&bib_list=" + params.join("/"); + url = "/cgi-bin/koha/tools/batch_record_modification.pl?op=list&bib_list=" + params.join("/"); location.href = url; } } else if( op == "delete" ){ -- 2.39.5