Bug 35960: Use .val() instead of string concat to prevent potential XSS

Test plan: 1. Log out 2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char 3. Open the brower's inspector and find "auth_forwarded_hash" input 4. Make sure the value attribute is there and corresponds to the URL's fragment. It should be URI-encoded. Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> (cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> (cherry picked from commit 5409e17fb5abe0130f3cb2cd6c3d2a7707a5b251) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
2024-02-01 09:15:23 +01:00 · 2024-02-01 09:15:23 +01:00 · 193ac375aa
commit 193ac375aa
parent 652e3819bd
1 changed files with 3 additions and 1 deletions
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
@ -219,7 +219,9 @@
    <script>
        $(document).ready( function() {
            if ( document.location.hash ) {
-                $( '#loginform' ).append( '<input name="auth_forwarded_hash" type="hidden" value="' + document.location.hash + '"/>' );
+                const input = $('<input name="auth_forwarded_hash" type="hidden">')
+                input.val(document.location.hash);
+                $( '#loginform' ).append( input );
            }
            // Clear last borrowers, rememberd sql reports, carts, etc.
            logOut();