[Koha-patches] [PATCH] Escape input that goes in HTML; Reworked search history insert SQL
Chris Cormack
chrisc at catalyst.net.nz
Wed Feb 24 01:41:24 CET 2010
From: Srdjan Jankovic <srdjan at catalyst.net.nz>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
---
C4/Auth.pm | 46 +++++++++-----------
koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl | 2 +-
.../prog/en/modules/catalogue/results.tmpl | 8 ++--
.../prog/en/modules/catalogue/subject.tmpl | 4 +-
.../prog/en/modules/installer/auth.tmpl | 2 +-
koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl | 2 +-
.../prog/en/modules/opac-results-grouped.tmpl | 4 +-
.../opac-tmpl/prog/en/modules/opac-results.tmpl | 4 +-
.../opac-tmpl/prog/en/modules/sco/sco-main.tmpl | 2 +-
9 files changed, 34 insertions(+), 40 deletions(-)
diff --git a/C4/Auth.pm b/C4/Auth.pm
index fe79fe5..c73b86a 100755
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -121,6 +121,10 @@ C4::Auth - Authenticates Koha users
=cut
+my $SERCH_HISTORY_INSERT_SQL =<<EOQ;
+INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, total, time )
+VALUES ( ?, ?, ?, ?, ?, FROM_UNIXTIME(?))
+EOQ
sub get_template_and_user {
my $in = shift;
my $template =
@@ -251,31 +255,19 @@ sub get_template_and_user {
# And if there's a cookie with searches performed when the user was not logged in,
# we add them to the logged-in search history
- my @recentSearches;
my $searchcookie = $in->{'query'}->cookie('KohaOpacRecentSearches');
if ($searchcookie){
$searchcookie = uri_unescape($searchcookie);
- if (thaw($searchcookie)) {
- @recentSearches = @{thaw($searchcookie)};
- }
-
- if (@recentSearches > 0) {
- my $query = "INSERT INTO search_history(userid, sessionid, query_desc, query_cgi, total, time) VALUES";
- my $icount = 1;
- foreach my $asearch (@recentSearches) {
- $query .= "(";
- $query .= $borrowernumber . ", ";
- $query .= '"' . $in->{'query'}->cookie("CGISESSID") . "\", ";
- $query .= '"' . $asearch->{'query_desc'} . "\", ";
- $query .= '"' . $asearch->{'query_cgi'} . "\", ";
- $query .= $asearch->{'total'} . ", ";
- $query .= 'FROM_UNIXTIME(' . $asearch->{'time'} . "))";
- if ($icount < @recentSearches) { $query .= ", ";}
- $icount++;
- }
-
- my $sth = $dbh->prepare($query);
- $sth->execute;
+ my @recentSearches = @{thaw($searchcookie) || []};
+ if (@recentSearches) {
+ my $sth = $dbh->prepare($SERCH_HISTORY_INSERT_SQL);
+ $sth->execute( $borrowernumber,
+ $in->{'query'}->cookie("CGISESSID"),
+ $_->{'query_desc'},
+ $_->{'query_cgi'},
+ $_->{'total'},
+ $_->{'time'},
+ ) foreach @recentSearches;
# And then, delete the cookie's content
my $newsearchcookie = $in->{'query'}->cookie(
@@ -314,11 +306,13 @@ sub get_template_and_user {
}
# Anonymous opac search history
# If opac search history is enabled and at least one search has already been performed
- if (C4::Context->preference('EnableOpacSearchHistory') && $in->{'query'}->cookie('KohaOpacRecentSearches')) {
+ if (C4::Context->preference('EnableOpacSearchHistory')) {
+ my $searchcookie = $in->{'query'}->cookie('KohaOpacRecentSearches');
+ if ($searchcookie){
+ $searchcookie = uri_unescape($searchcookie);
+ my @recentSearches = @{thaw($searchcookie) || []};
# We show the link in opac
- if (thaw(uri_unescape($in->{'query'}->cookie('KohaOpacRecentSearches')))) {
- my @recentSearches = @{thaw(uri_unescape($in->{'query'}->cookie('KohaOpacRecentSearches')))};
- if (@recentSearches > 0) {
+ if (@recentSearches) {
$template->param(ShowOpacRecentSearchLink => 1);
}
}
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl
index b3d1f4c..5867f6d 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tmpl
@@ -39,7 +39,7 @@
<form action="<!-- TMPL_VAR NAME="url" -->" method="post" name="loginform" id="loginform">
<input type="hidden" name="koha_login_context" value="intranet" />
<!-- TMPL_LOOP NAME="INPUTS" -->
- <input type="hidden" name="<!-- TMPL_VAR NAME="name" -->" value="<!-- TMPL_VAR NAME="value" ESCAPE="html" -->" />
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="name" -->" value="<!-- TMPL_VAR NAME="value" ESCAPE="html" -->" />
<!-- /TMPL_LOOP -->
<p><label for="userid">Username:</label>
<input type="text" name="userid" id="userid" class="input focus" value="<!-- TMPL_VAR NAME="userid" -->" size="20" tabindex="1" />
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tmpl
index 9dbfe4a..b81970a 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tmpl
@@ -207,10 +207,10 @@ function GetZ3950Terms(){
<form action="/cgi-bin/koha/catalogue/search.pl" method="get" id="sortbyform">
<!-- TMPL_IF NAME="searchdesc" -->
<!-- TMPL_LOOP NAME="QUERY_INPUTS"-->
- <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
<!-- /TMPL_LOOP -->
<!-- TMPL_LOOP NAME="LIMIT_INPUTS"-->
- <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
<!-- /TMPL_LOOP -->
<!-- /TMPL_IF -->
<!-- RE-SORT START -->
@@ -363,10 +363,10 @@ function GetZ3950Terms(){
<form action="/cgi-bin/koha/catalogue/search.pl" method="get" name="bookbag_form" id="bookbag_form">
<!-- TMPL_IF NAME="searchdesc" -->
<!-- TMPL_LOOP NAME="QUERY_INPUTS"-->
- <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
<!-- /TMPL_LOOP -->
<!-- TMPL_LOOP NAME="LIMIT_INPUTS"-->
- <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
<!-- /TMPL_LOOP -->
<!-- /TMPL_IF -->
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/subject.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/subject.tmpl
index aceb40c..6ba5005 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/subject.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/subject.tmpl
@@ -33,7 +33,7 @@
</tr>
<!-- /TMPL_LOOP -->
</table>
-<p><a class="button" href="search.pl?<!-- TMPL_LOOP NAME="FORMINPUTS" --><!-- TMPL_VAR NAME="line" -->&<!-- /TMPL_LOOP -->startfrom=<!-- TMPL_VAR NAME="prevstartfrom" -->">Previous Records</a> <a class="button" href="search.pl?<!-- TMPL_LOOP NAME="FORMINPUTS" --><!-- TMPL_VAR NAME="line" -->&<!-- /TMPL_LOOP -->startfrom=<!-- TMPL_VAR NAME="nextstartfrom" -->">Next Records</a></p>
+<p><a class="button" href="search.pl?<!-- TMPL_LOOP NAME="FORMINPUTS" --><!-- TMPL_VAR ESCAPE=URL NAME="line" -->&<!-- /TMPL_LOOP -->startfrom=<!-- TMPL_VAR NAME="prevstartfrom" -->">Previous Records</a> <a class="button" href="search.pl?<!-- TMPL_LOOP NAME="FORMINPUTS" --><!-- TMPL_VAR NAME="line" -->&<!-- /TMPL_LOOP -->startfrom=<!-- TMPL_VAR NAME="nextstartfrom" -->">Next Records</a></p>
</div>
@@ -43,4 +43,4 @@
<!-- TMPL_INCLUDE NAME="cat-menu.inc" -->
</div>
</div>
-<!-- TMPL_INCLUDE NAME="intranet-bottom.inc" -->
\ No newline at end of file
+<!-- TMPL_INCLUDE NAME="intranet-bottom.inc" -->
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tmpl
index 0cb8092..5335bec 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tmpl
@@ -30,7 +30,7 @@
<!-- login prompt time-->
<form action="<!-- TMPL_VAR NAME="url" -->" method="post" name="mainform" id="mainform">
<!-- TMPL_LOOP NAME="INPUTS" -->
- <input type="hidden" name="<!-- TMPL_VAR NAME="name" -->" value="<!-- TMPL_VAR NAME="value" -->" />
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="value" -->" />
<!-- /TMPL_LOOP -->
<h3>Welcome to the Koha Web Installer</h3>
<p>Before we begin, please verify you have the correct credentials to continue. Please log in
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl
index 161b082..ec569cd 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tmpl
@@ -56,7 +56,7 @@
<form action="<!-- TMPL_VAR NAME="url" -->" name="auth" id="auth" method="post">
<input type="hidden" name="koha_login_context" value="opac" />
<fieldset class="brief"><!-- TMPL_LOOP NAME="INPUTS" -->
- <input type="hidden" name="<!-- TMPL_VAR NAME="name" -->" value="<!-- TMPL_VAR NAME="value" -->" />
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="value" -->" />
<!-- /TMPL_LOOP -->
<ol>
<li><label for="userid">Login</label>
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tmpl
index 0162ccb..1d5e8f1 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tmpl
@@ -168,10 +168,10 @@ function highlightOn() {
<form action="/cgi-bin/koha/opac-search.pl" method="get" name="bookbag_form" id="bookbag_form">
<!-- TMPL_IF NAME="searchdesc" -->
<!-- TMPL_LOOP NAME="QUERY_INPUTS"-->
- <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
<!-- /TMPL_LOOP -->
<!-- TMPL_LOOP NAME="LIMIT_INPUTS"-->
- <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
<!-- /TMPL_LOOP -->
<!-- /TMPL_IF -->
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tmpl
index 1ea73e5..460cfe1 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tmpl
@@ -315,10 +315,10 @@ $(document).ready(function(){
<form action="/cgi-bin/koha/opac-search.pl" method="get" name="bookbag_form" id="bookbag_form">
<!-- TMPL_IF NAME="searchdesc" -->
<!-- TMPL_LOOP NAME="QUERY_INPUTS"-->
- <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
<!-- /TMPL_LOOP -->
<!-- TMPL_LOOP NAME="LIMIT_INPUTS"-->
- <input type="hidden" name="<!-- TMPL_VAR NAME="input_name" -->" value="<!-- TMPL_VAR NAME="input_value" -->"/>
+ <input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="input_name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="input_value" -->"/>
<!-- /TMPL_LOOP -->
<!-- /TMPL_IF -->
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/sco/sco-main.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/sco/sco-main.tmpl
index 3bfde99..32ed006 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/sco/sco-main.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/sco/sco-main.tmpl
@@ -230,7 +230,7 @@ Sorry, This Self-Checkout Station has lost authentication. Please contact the a
<fieldset class="checkout"><label for="patronid">Please enter your card number:</label>
<input type="text" id="patronid" class="focus" size="20" name="patronid" />
- <!-- TMPL_LOOP NAME="INPUTS" --><input type="hidden" name="<!-- TMPL_VAR NAME="name" -->" value="<!-- TMPL_VAR NAME="value" -->"><!-- /TMPL_LOOP -->
+ <!-- TMPL_LOOP NAME="INPUTS" --><input type="hidden" name="<!-- TMPL_VAR ESCAPE=HTML NAME="name" -->" value="<!-- TMPL_VAR ESCAPE=HTML NAME="value" -->"><!-- /TMPL_LOOP -->
<input type="hidden" name="op" value="login" />
<input type="submit" value="Submit" class="submit" /></fieldset></form>
</div>
--
1.6.3.3
More information about the Koha-patches
mailing list