From f77c3d014fdda5890d7f7ff1d9d14095dc2377ce Mon Sep 17 00:00:00 2001 From: Bill Erickson Date: Wed, 17 Aug 2011 15:28:53 -0400 Subject: [PATCH] TPac: more aggressive dynamic output filtering Making heavier user of html/uri filters to prevent accidental or malicious rendering of html from dynamic data. More to follow. Signed-off-by: Bill Erickson --- Open-ILS/web/templates/default/opac/parts/anon_list.tt2 | 6 +++--- .../templates/default/opac/parts/coded_value_selector.tt2 | 2 +- .../web/templates/default/opac/parts/org_selector.tt2 | 4 ++-- Open-ILS/web/templates/default/opac/parts/place_hold.tt2 | 15 +++++++-------- .../web/templates/default/opac/parts/qtype_selector.tt2 | 4 ++-- Open-ILS/web/templates/default/opac/parts/topnav.tt2 | 2 +- Open-ILS/web/templates/default/opac/results.tt2 | 8 +++++--- 7 files changed, 21 insertions(+), 20 deletions(-) diff --git a/Open-ILS/web/templates/default/opac/parts/anon_list.tt2 b/Open-ILS/web/templates/default/opac/parts/anon_list.tt2 index 19a7440320..6f91af7b00 100644 --- a/Open-ILS/web/templates/default/opac/parts/anon_list.tt2 +++ b/Open-ILS/web/templates/default/opac/parts/anon_list.tt2 @@ -36,7 +36,7 @@ [% IF ctx.user AND ctx.bookbags.size %] [% FOR bbag IN ctx.bookbags %]] - + [% END %] [% END %] @@ -53,8 +53,8 @@ - [% attrs.title %] - [% attrs.author %] + [% attrs.title | html %] + [% attrs.author | html %] [% END %] diff --git a/Open-ILS/web/templates/default/opac/parts/coded_value_selector.tt2 b/Open-ILS/web/templates/default/opac/parts/coded_value_selector.tt2 index ad46d794f5..33469fe558 100644 --- a/Open-ILS/web/templates/default/opac/parts/coded_value_selector.tt2 +++ b/Open-ILS/web/templates/default/opac/parts/coded_value_selector.tt2 @@ -22,7 +22,7 @@ [% END %] [% FOR o IN all_values %] - + [% END -%] diff --git a/Open-ILS/web/templates/default/opac/parts/org_selector.tt2 b/Open-ILS/web/templates/default/opac/parts/org_selector.tt2 index 52500f0518..1485679510 100644 --- a/Open-ILS/web/templates/default/opac/parts/org_selector.tt2 +++ b/Open-ILS/web/templates/default/opac/parts/org_selector.tt2 @@ -8,11 +8,11 @@ selected = 'selected="selected"'; END; %] - [% FOR child IN walker.children; diff --git a/Open-ILS/web/templates/default/opac/parts/place_hold.tt2 b/Open-ILS/web/templates/default/opac/parts/place_hold.tt2 index 861a987a5b..903cbb65a8 100644 --- a/Open-ILS/web/templates/default/opac/parts/place_hold.tt2 +++ b/Open-ILS/web/templates/default/opac/parts/place_hold.tt2 @@ -15,7 +15,7 @@ [% ELSIF ctx.hold_failed_event || ctx.hold_local_alert %]
[% l('Problem:') %] - + [% fail_part_key = ctx.hold_failed_event.payload.fail_part; event_key = ctx.hold_failed_event.textcode; @@ -32,8 +32,7 @@ [% IF ctx.hold_copy_available %]

- [% l('Find a copy in the shelving location, "[_1]."', - ctx.hold_copy_available.location) %] + [% l('Find a copy in the shelving location, "[_1]."', locname) | html %]

[% END %] [% IF ctx.could_override || ctx.hold_local_alert %] @@ -45,7 +44,7 @@
[% FOR k IN ctx.orig_params.keys %] - + [% END %] @@ -83,20 +82,20 @@ -
[%# XXX multi-barcode users? %] +
[%# XXX multi-barcode users? %]

[% END %]

- [% | l(attrs.title, ctx.get_aou(ctx.default_pickup_lib).name) %] + [% title = attrs.title | html; libname = ctx.get_aou(ctx.default_pickup_lib).name | html %] + [% | l(title, libname) %] You would like to place a hold on [_1].
If this is correct, confirm your pickup location and click SUBMIT. [% END %] diff --git a/Open-ILS/web/templates/default/opac/parts/qtype_selector.tt2 b/Open-ILS/web/templates/default/opac/parts/qtype_selector.tt2 index f79de8a29e..4b91a477bf 100644 --- a/Open-ILS/web/templates/default/opac/parts/qtype_selector.tt2 +++ b/Open-ILS/web/templates/default/opac/parts/qtype_selector.tt2 @@ -9,8 +9,8 @@ diff --git a/Open-ILS/web/templates/default/opac/parts/topnav.tt2 b/Open-ILS/web/templates/default/opac/parts/topnav.tt2 index 5c01e7ee6b..5aaa7b8442 100644 --- a/Open-ILS/web/templates/default/opac/parts/topnav.tt2 +++ b/Open-ILS/web/templates/default/opac/parts/topnav.tt2 @@ -22,7 +22,7 @@ - [% l('[_1] [_2]', ctx.user.first_given_name, ctx.user.family_name) %] + [% l('[_1] [_2]', ctx.user.first_given_name, ctx.user.family_name) | html %] diff --git a/Open-ILS/web/templates/default/opac/results.tt2 b/Open-ILS/web/templates/default/opac/results.tt2 index 5c0a620d52..a49b2ec03d 100644 --- a/Open-ILS/web/templates/default/opac/results.tt2 +++ b/Open-ILS/web/templates/default/opac/results.tt2 @@ -7,10 +7,12 @@ IF is_advanced || is_special; ctx.page_title = l("Search Results"); ELSE; - ctx.page_title = l("Search Results: ") _ CGI.param('query') | html_entity; + ctx.page_title = l("Search Results: ") _ CGI.param('query') | html; END; - page = CGI.param('page') || 0; + page = CGI.param('page'); + page = page.match('^\d+$') ? page : 0; # verify page is a sane value + page_count = ctx.page_size == 0 ? 1 : POSIX.ceil(ctx.hit_count / ctx.page_size); %] @@ -44,7 +46,7 @@ [% END %]

[% UNLESS is_advanced || is_special %] -
Sort by
+
[% l('Sort by') %]
[% INCLUDE "default/opac/parts/filtersort.tt2" value=CGI.param('sort') %]
-- 2.11.0