Bug 37720: Prevent XSS in label creator
Because labels/label-edit-batch.pl fills a DataTable with things that include
a link created by C4/Creators/Lib.pm, it outputs them with the $raw filter,
so HTML in author/title/callnumber is executed in the label batch editor.
While we wait for a fix that moves the link creation into the template and
out of C4, encoding HTML in Lib.pm for the bits going into the link, and
switching from $raw to the html filter for the rest of the things, will at
least get rid of the XSS.
Test plan:
1. Without this patch, but with the patch from bug 37654 so you don't get
alert()s in batch import, download attachment 170675 [details]
2. Cataloging - Stage records for import - browse to the downloaded file -
Upload file - when the upload finishes Stage for import - when staging
finishes View batch (get alert()s if you didn't apply bug 37654) - Import
this batch into the catalog
3. Once the import finishes, Cataloging - Manage staged records
4. In the row for your import, in the # Items column, click "(Create label
batch)"
5. In the "Label batch #n created" message, click the link to the batch #
6. Because the batch includes a call number with an open <script>, you'll
get XSS alert()s and then one about something going wrong while loading
the table, with only one of the two records showing in the batch editor
7. Apply patch, restart_all
8. Cataloging - Label creator - Manage Label batches
9. In the row for your batch, click Edit
10. You will see both labels, with their attempts at XSS visible as text
rather than being interpreted as HTML
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
This commit is contained in:
parent
ef654af762
commit
8b73d2bb3b
2 changed files with 5 additions and 3 deletions
|
|
@ -345,8 +345,7 @@ sub get_label_summary {
|
|||
$record->{'title'} =~ s/\W*$//; # strip off ugly trailing chars
|
||||
# FIXME contructing staff interface URLs should be done *much* higher up the stack - for the most part, C4 module code
|
||||
# should not know that it's part of a web app
|
||||
$record->{'title'} = '<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=' . $record->{'biblionumber'} . '"> ' . $record->{'title'} . '</a>';
|
||||
$label_summary->{'_summary'} = $record->{'title'} . " | " . ($record->{'author'} ? $record->{'author'} : 'N/A');
|
||||
$label_summary->{'_summary'} = { title => $record->{title}, author => $record->{author}, biblionumber => $record->{biblionumber} };
|
||||
$label_summary->{'_item_type'} = C4::Context->preference("item-level_itypes") ? $record->{'itype'} : $record->{'itemtype'};
|
||||
$label_summary->{'_barcode'} = $record->{'barcode'};
|
||||
$label_summary->{'_item_number'} = $item->{'item_number'};
|
||||
|
|
|
|||
|
|
@ -160,8 +160,11 @@
|
|||
<td>
|
||||
[% IF ( text_field.field_name == '_item_type_tbl' ) %]
|
||||
[% ItemTypes.GetDescription( text_field.field_value ) | html %]
|
||||
[% ELSIF ( text_field.field_name == '_summary_tbl' ) %]
|
||||
<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% text_field.field_value.biblionumber | uri %]">[% text_field.field_value.title | html %]</a>
|
||||
[% IF text_field.field_value.author %]| [% text_field.field_value.author | html %][% END %]
|
||||
[% ELSE %]
|
||||
[% text_field.field_value | $raw %]
|
||||
[% text_field.field_value | html %]
|
||||
[% END %]
|
||||
</td>
|
||||
[% END %]
|
||||
|
|
|
|||
Loading…
Reference in a new issue