MT#58157 escape uri refs in body.tt

* URI that comes from c.req.uri must be escaped as Catalyst
  provides c.req.uri unescaped.
* new Catalyst::NGCP::Plugin::EscapeURI with escape_uri()
  function
* new NGCP::Panel::Utils::Generic::escape_uri() that uses
  URI::Escape::uri::escape_utf8()
* c.req.uri and c.req.path occurrences in layout/body.tt are now
  escaped with c.escape_uri()

Change-Id: Id0483fa6e570a0ff8db84b1d470caf5405cc0886
(cherry picked from commit c826fccb29)
(cherry picked from commit 6fbab236ca)

lib/Catalyst/Plugin/NGCP/EscapeURI.pm

@@ -0,0 +1,13 @@
+package Catalyst::Plugin::NGCP::EscapeURI;
+use warnings;
+use strict;
+use MRO::Compat;
+
+use NGCP::Panel::Utils::Generic qw();
+
+sub escape_uri {
+    my $c = shift;
+    return NGCP::Panel::Utils::Generic::escape_uri(@_);
+}
+
+1;

lib/NGCP/Panel.pm

@@ -28,6 +28,7 @@ use Catalyst qw/
     NGCP::RealmCookie
     NGCP::EscapeSensitiveValue
     NGCP::EscapeJs
+    NGCP::EscapeURI
     I18N
 /;
 use Log::Log4perl::Catalyst qw();

lib/NGCP/Panel/Utils/Generic.pm

@@ -2,14 +2,15 @@ package NGCP::Panel::Utils::Generic;
 use strict;
 use warnings;
 use Exporter;
+use URI::Escape qw(uri_escape_utf8);
 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS);
 
 $VERSION     = 1.00;
 @ISA         = qw(Exporter);
 @EXPORT      = ();
-@EXPORT_OK   = qw(is_int is_integer is_decimal merge compare is_false is_true get_inflated_columns_all hash2obj mime_type_to_extension extension_to_mime_type array_to_map escape_js);
-%EXPORT_TAGS = ( DEFAULT => [qw(&is_int &is_integer &is_decimal &merge &compare &is_false &is_true &mime_type_to_extension &extension_to_mime_type &array_to_map &escape_js)],
-    all    =>  [qw(&is_int &is_integer &is_decimal &merge &compare &is_false &is_true &get_inflated_columns_all &hash2obj &mime_type_to_extension &extension_to_mime_type &array_to_map &escape_js)]);
+@EXPORT_OK   = qw(is_int is_integer is_decimal merge compare is_false is_true get_inflated_columns_all hash2obj mime_type_to_extension extension_to_mime_type array_to_map escape_js escape_uri);
+%EXPORT_TAGS = ( DEFAULT => [qw(&is_int &is_integer &is_decimal &merge &compare &is_false &is_true &mime_type_to_extension &extension_to_mime_type &array_to_map &escape_js escape_uri)],
+    all    =>  [qw(&is_int &is_integer &is_decimal &merge &compare &is_false &is_true &get_inflated_columns_all &hash2obj &mime_type_to_extension &extension_to_mime_type &array_to_map &escape_js escape_uri)]);
 
 use Hash::Merge;
 use Data::Compare qw//;
@@ -222,4 +223,9 @@ sub escape_js {
     return $str;
 }
 
+sub escape_uri {
+    my $str = shift // '';
+    return uri_escape_utf8($str);
+}
+
 1;

share/layout/body.tt

@@ -138,7 +138,7 @@
             [% IF c.config.general.ui_enable -%]
               [% IF c.user.roles == 'admin' || c.user.roles == 'reseller' || c.user.roles == 'ccareadmin' || c.user.roles == 'ccare' || c.user.roles == 'lintercept' -%]
                 <div class="nav pull-right">
-                  <b><a href="[% c.uri_for_action('/login_to_v2') -%]/?page=[% c.req.path -%]">[% c.loc('GO TO NEW ADMIN PANEL') -%]</a></b>
+                  <b><a href="[% c.uri_for_action('/login_to_v2') -%]/?page=[% c.escape_uri(c.req.path) -%]">[% c.loc('GO TO NEW ADMIN PANEL') -%]</a></b>
                 </div>
               [% END -%]
             [% END -%]
@@ -221,7 +221,7 @@ var mainWrapperInit = function () {
     });
 
     [%
-        backuri = c.req.uri;
+        backuri = c.escape_uri(c.req.uri);
         tmp = backuri.query_param_delete('back');
     -%]
     $('a').each(function() {