Bug 20770: ILL loans OPAC form notes field allow arbitrary input

This patch addresses the lack of sanitization of the "notes" field on the OPAC "View Interlibrary loan request" page. To test: - Apply the patch - As an OPAC user, create an ILL request - Navigate to the request's "View Interlibrary loan request" page - Add the following note: Hello <h1>TESTING</h1> <script>alert('pwned');</script> - Click "Submit modifications" - TEST: Observe, when the page reloads, only the following is preserved in the "Notes" textarea: Hello TESTING - As a staff user, naviate to the ILL requests table - Select "Manage request" for the request you created - TEST: Observe that the Notes field only contains: Hello TESTING - TEST: Observe that no Javascript alert is displayed Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2018-05-15 16:00:02 +01:00 · 2018-05-15 16:00:02 +01:00 · 552873f7d4
commit 552873f7d4
parent 10720d2a5c
3 changed files with 8 additions and 4 deletions
--- a/koha-tmpl/intranet-tmpl/prog/css/staff-global.css
+++ b/koha-tmpl/intranet-tmpl/prog/css/staff-global.css
@ -3192,6 +3192,10 @@ fieldset.rows + fieldset.action {
    line-height: 1.3em;
 }

+#ill-view-panel .notesopac {
+    display: inline-block;
+}
+
 table#ill-requests {
    width: 100% !important;
 }
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt
@ -452,7 +452,7 @@
                                </li>
                                <li class="notesopac">
                                    <label for="notesopac" class="notesopac">Opac notes:</label>
-                                    <textarea name="notesopac" id="notesopac" rows="5">[% request.notesopac %]</textarea>
+                                    <textarea name="notesopac" id="notesopac" rows="5">[% request.notesopac | html %]</textarea>
                                </li>
                            </ol>
                        </fieldset>
@ -554,7 +554,7 @@
                                </div>
                                <div class="notesopac">
                                    <span class="label notes_opac">Notes:</span>
-                                    <pre>[% request.notesopac %]</pre>
+                                    <pre>[% request.notesopac | html %]</pre>
                                </div>
                            </div>
                            <div class="rows">
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-illrequests.tt
@ -179,9 +179,9 @@
                                    <li>
                                        <label for="notesopac">Notes:</label>
                                        [% IF !request.completed %]
-                                            <textarea name="notesopac" rows="5" cols="50">[% request.notesopac %]</textarea>
+                                            <textarea name="notesopac" rows="5" cols="50">[% request.notesopac | html %]</textarea>
                                        [% ELSE %]
-                                            [% request.notesopac %]
+                                            [% request.notesopac | html %]
                                        [% END %]
                                    </li>
                                </ol>