Bug 6518 : Fixing XSS issues on opac

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-06-17 08:39:29 +12:00 · 2011-06-17 08:39:29 +12:00 · 126d6247b2
commit 126d6247b2
parent 99a7916b11
5 changed files with 8 additions and 8 deletions
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-addbybiblionumber.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-addbybiblionumber.tt
@ -66,7 +66,7 @@
 		<option value="1">Private</option>
 		<option value="2">Public</option>
 		</select></li></ol></fieldset>
-		[% FOREACH biblio IN biblios %] <input type="hidden" name="biblionumber" value="[% biblio.biblionumber %]" />[% END %]
+		[% FOREACH biblio IN biblios %] <input type="hidden" name="biblionumber" value="[% biblio.biblionumber | html%]" />[% END %]
 		<fieldset class="action"><input type="submit" value="Save" class="submit" /> <a class="close cancel" href="#">Cancel</a></fieldset>
 		</form>
 	[% END %]
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadcart.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadcart.tt
@ -19,7 +19,7 @@
 	</select></li></ol>
 </fieldset>
 <fieldset class="action">
-	<input type="hidden" name="bib_list" value="[% bib_list %]" />
+	<input type="hidden" name="bib_list" value="[% bib_list | html %]" />
 	<input type="submit" name="save" value="Go" />
 </fieldset>
    </form>
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt
@ -26,7 +26,7 @@

 		</select></li></ol>
 	</fieldset>
-	<fieldset class="action">	<input type="hidden" name="shelfid" value="[% shelfid %]" />
+	<fieldset class="action">	<input type="hidden" name="shelfid" value="[% shelfid | html %]" />
 		<input type="submit" name="save" value="Go" /></fieldset>
 	    </form>

--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tt
@ -11,7 +11,7 @@
 			[% IF ( cgi_debug ) %]alert(_('injecting OLD comment: ')+comment);[% END %]
 			parent.opener.$('#c[% reviewid %] p').prev("small").prev("h5").html("Your Edited Comment (preview, pending approval)");
 			parent.opener.$('#c[% reviewid %] p').html(comment);
-			parent.opener.$('#c[% reviewid %] p').append(" <a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=[% biblionumber %]&amp;reviewid=[% reviewid %]\');\">Edit<\/a>");
+			parent.opener.$('#c[% reviewid %] p').append("<a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=[% biblionumber | uri %]&amp;reviewid=[% reviewid | uri%]\');\">Edit<\/a>");
 			[% END %]
 			return 1;
 		};
@ -21,7 +21,7 @@
 			parent.opener.$('#newcomment').html(
 				"<h5>Your Comment (preview, pending approval)<\/h5>" +
 				"<p>"+comment+"<\/p>" +
-				"<a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=[% biblionumber %]\');\">Edit<\/a><\/p>"
+				"<a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=[% biblionumber |uri%]\');\">Edit<\/a><\/p>"
 			);
 			parent.opener.$("#addcomment").prev("p").remove();
 			parent.opener.$("#addcomment").remove();
@ -66,7 +66,7 @@
 	</div>
 [% END %]
 <form id="reviewf" action="/cgi-bin/koha/opac-review.pl[% IF ( cgi_debug ) %]?debug=1[% END %]" method="post">
-    <input type="hidden" name="biblionumber" value="[% biblionumber %]" />
+    <input type="hidden" name="biblionumber" value="[% biblionumber | html%]" />
 	<fieldset class="brief">
 	<legend>Comments on <i>[% title |html %] [% subtitle %]</i>[% IF ( author ) %]by [% author %][% END %]</legend>
            <ol><li><textarea id="review" name="review" cols="60" rows="8">[% review %]</textarea></li></ol>
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-serial-issues.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-serial-issues.tt
@ -12,9 +12,9 @@
 <div id="userserialissues" class="container">
 <h2>Issues for a subscription</h2>
 <div id="views">
-	<span class="view"><a id="Normalview" href="opac-detail.pl?biblionumber=[% biblionumber %]" class="button">Normal View</a></span>
+	<span class="view"><a id="Normalview" href="opac-detail.pl?biblionumber=[% biblionumber | html %]" class="button">Normal View</a></span>
 		<span class="view"><span id="Briefhistory">Brief history</span></span>
-	<span class="view"><a id="Fullhistory" href="opac-serial-issues.pl?selectview=full&amp;biblionumber=[% biblionumber %]" class="button">Full History</a></span>
+	<span class="view"><a id="Fullhistory" href="opac-serial-issues.pl?selectview=full&amp;biblionumber=[% biblionumber | html%]" class="button">Full History</a></span>
 </div>
 <form method="post" name="f">
 [% FOREACH subscription_LOO IN subscription_LOOP %]