[Koha-bugs] [Bug 21349] New: Instructors with special characters (e.g. $, ., :) in their cardnumber cannot be removed from course reserves

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Sat Sep 15 00:51:23 CEST 2018


https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21349

            Bug ID: 21349
           Summary: Instructors with special characters (e.g. $, ., :) in
                    their cardnumber cannot be removed from course
                    reserves
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Course reserves
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: ephetteplace at cca.edu
        QA Contact: testopia at bugs.koha-community.org

To recreate:

- create a patron with a barcode that contains a character that is meaningful
for CSS/jQuery selectors: comma, $, ., :, [, ], =, or @
- create a course and add them to it as an instructor
- on /cgi-bin/koha/course_reserves/course.pl?course_id={{course_id}} click the
"remove" link attempting to remove them from the course
- ...nothing happens

The source of this issue is the RemoveInstructor JavaScript function in
koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt - it accepts
a single "cardnumber" parameter which isn't sanitized before being used in a
jQuery selector. Therefore if punctuation that's meaningful in a selector
appears in a patron's barcode, the function throws an error. Here's an actual
example from our Koha instance:

Uncaught Error: Syntax error, unrecognized expression: #borrower_PCAC000029831$
    at Function.fa.error (jquery-2.2.3.min.js:2)
    at fa.tokenize (jquery-2.2.3.min.js:2)
    at fa.select (jquery-2.2.3.min.js:2)
    at Function.fa [as find] (jquery-2.2.3.min.js:2)
    at n.fn.init.find (jquery-2.2.3.min.js:2)
    at n.fn.init.a.fn.find (jquery-migrate-1.3.0.min.js:2)
    at a.fn.init.n.fn.init (jquery-2.2.3.min.js:2)
    at new a.fn.init (jquery-migrate-1.3.0.min.js:2)
    at n (jquery-2.2.3.min.js:2)
    at RemoveInstructor (course.pl?course_id=39:224)

The solution to this is to sanitize the cardnumber before using it, as
described by this article for instance:
https://learn.jquery.com/using-jquery-core/faq/how-do-i-select-an-element-by-an-id-that-has-characters-used-in-css-notation/

I'll send along a patch shortly.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.


More information about the Koha-bugs mailing list