[Koha-patches] [PATCH] Bug 13789 - facets with accented utf-8 characters generate double encoded links

Dobrica Pavlinusic dpavlin at rot13.org
Wed Mar 4 14:32:04 CET 2015 

Bug 13425 tried to fix XSS in OPAC, by using url filter in template toolkit
on whole generated url. This doesn't work and create double encoded strings
in facets because we are creating url variable by concatenating query_cgi
(which did pass through uri_escape_utf8 on perl side) and other
parameters which have to be escaped in template.

Also, code like

[% SET limit_cgi_f = limit_cgi | url %]

doesn't do anything (at least doesn't apply url filter) so it's not needed.

Test scenario:
1. find results in your opac which contain accented characters
2. click on them and verify that results are missing
3. apply this patch
4. re-run search and click on facets link verifying that there are
   now results
5. verify that facets are still safe from injection by constructing url like
   /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
   and verifying that you DON'T see prompt window in your browser
---
 .../bootstrap/en/includes/opac-facets.inc          |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc
index 6e846f0..44fd40c 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc
@@ -32,20 +32,19 @@
                         <ul>
                             [% FOREACH facet IN facets_loo.facets %]
                                 <li>
-                                  [% SET query_cgi_f = query_cgi %]
-                                  [% SET limit_cgi_f = limit_cgi | url %]
-                                  [% SET url = "/cgi-bin/koha/opac-search.pl?" _ query_cgi_f _ limit_cgi_f %]
+                                  [% SET url = "/cgi-bin/koha/opac-search.pl?" _ query_cgi %]
+                                  [% url = BLOCK %][% url %][% limit_cgi |url %][% END %]
                                   [% IF ( sort_by ) %]
-                                    [% SET url = url _ "&sort_by=" _ sort_by |url %]
+                                    [% url = BLOCK %][% url %][% "&sort_by=" _ sort_by |url %][% END %]
                                   [% END %]
                                   [% facet.facet_link_value = BLOCK %][% facet.facet_link_value | uri %][% END %]
                                   [% IF facet.active %]
                                     [% SET url = url _ "&nolimit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %]
                                     <span class="facet-label">[% facet.facet_label_value %]</span>
-                                    [<a href="[% url |url%]" title="Remove facet [% facet.facet_link_value | html %]">x</a>]
+                                    [<a href="[% url %]" title="Remove facet [% facet.facet_link_value | html %]">x</a>]
                                   [% ELSE %]
                                     [% SET url = url _ "&limit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %]
-                                    <span class="facet-label"><a href="[% url |url%]" title="[% facet.facet_title_value |html %]">[% facet.facet_label_value %]</a></span>
+                                    <span class="facet-label"><a href="[% url %]" title="[% facet.facet_title_value |html %]">[% facet.facet_label_value %]</a></span>
                                     [% IF ( displayFacetCount ) %]
                                       <span class="facet-count"> ([% facet.facet_count %])</span>
                                     [% END %]
-- 
1.7.2.5

More information about the Koha-patches mailing list