From f1ed6fa6b514a8e730251b93487bffb9505bd185 Mon Sep 17 00:00:00 2001
From: Bill Erickson <berick@esilibrary.com>
Date: Thu, 11 Aug 2011 16:25:50 -0400
Subject: [PATCH] Force-encode CGI param values to prevent decode errors

CGI.pm decode()'s parameter values, so if it encounters a value that
is already decoded, it will croak and kill the page.  Proactively encode
paramter values so decode() won't fail.

The better solution may be to determine how we get such data, but
until then, let's allow the t-pac to work on funky data.

Signed-off-by: Bill Erickson <berick@esilibrary.com>
---
 Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm       |  3 +++
 Open-ILS/web/templates/default/opac/parts/header.tt2 | 12 ++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm
index 33a5dbb233..8226be799b 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGWeb.pm
@@ -4,6 +4,7 @@ use Template;
 use XML::Simple;
 use XML::LibXML;
 use File::stat;
+use Encode;
 use Apache2::Const -compile => qw(OK DECLINED HTTP_INTERNAL_SERVER_ERROR);
 use Apache2::Log;
 use OpenSRF::EX qw(:try);
@@ -68,6 +69,8 @@ sub handler {
         }
     });
 
+    $ctx->{encode_utf8} = sub {return encode_utf8(shift())};
+
     unless($tt->process($template, {ctx => $ctx, ENV => \%ENV, l => $text_handler})) {
         $r->log->warn('egweb: template error: ' . $tt->error);
         return Apache2::Const::HTTP_INTERNAL_SERVER_ERROR;
diff --git a/Open-ILS/web/templates/default/opac/parts/header.tt2 b/Open-ILS/web/templates/default/opac/parts/header.tt2
index 9b9132c545..1298754118 100644
--- a/Open-ILS/web/templates/default/opac/parts/header.tt2
+++ b/Open-ILS/web/templates/default/opac/parts/header.tt2
@@ -52,7 +52,11 @@
 
         # apply user params
         FOR k IN params.keys;
-            foo = cgi.param("-name", k, "-values", params.$k); 
+            encoded = [];
+            list = params.$k.0 ? params.$k : [params.$k];
+            # CGI croaks on already-decoded strings.  force-encode to be safe
+            FOR p IN list; encoded.push(ctx.encode_utf8(p)); END;
+            foo = cgi.param("-name", k, "-values", encoded);
         END;
 
         # for url brevity, remove any params that have no value
@@ -62,7 +66,11 @@
         END;
 
         IF page;
-            page _ '?' _ cgi.query_string;
+            IF cgi.query_string;
+                page _ '?' _ cgi.query_string;
+            ELSE;
+                page;
+            END;
         ELSE;
             cgi.url("-path" => 1, "-query" => 1);
         END;
-- 
2.43.2