Browse Source

Bug 26592: Prevent XSS vulnerabilities when circ/ysearch.pl is used

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
20.11.x
Jonathan Druart 1 year ago
parent
commit
9c2f9a021a
  1. 24
      koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc
  2. 21
      koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt
  3. 20
      koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt
  4. 21
      koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt

24
koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc

@ -101,11 +101,16 @@
// Display card number in parentheses if it exists
cardnumber = " (" + item.cardnumber + ") ";
}
var itemString = "<a href=\"" + item.link + "\">" + item.surname + ", " + item.firstname + cardnumber + " <small>";
var itemString = "<a href=\"" + item.link + "\">" + ( item.surname ? item.surname.escapeHtml() : "" ) + ", " + ( item.firstname ? item.firstname.escapeHtml() : "" ) + cardnumber.escapeHtml() + " <small>";
if( item.dateofbirth ) {
itemString += item.dateofbirth + "<span class=\"age_years\"> (" + item.age + " " + _("years") + ")</span>, ";
itemString += ( item.dateofbirth ? item.dateofbirth.escapeHtml() : "" )
+ "<span class=\"age_years\"> (" + ( item.age ? item.age.escapeHtml() : "" ) + " " + _("years") + ")</span>, ";
}
itemString += item.address + " " + item.city + " " + item.zipcode + " " + item.country + "</small></a>";
itemString += ( item.address ? item.address.escapeHtml() : "" ) + " "
+ ( item.city ? item.city.escapeHtml() : "" ) + " "
+ ( item.zipcode ? item.city.escapeHtml() : "" ) + " "
+ ( item.country ? item.country.escapeHtml() : "" )
+ "</small></a>";
return $( "<li></li>" )
.data( "ui-autocomplete-item", item )
.append( itemString )
@ -137,7 +142,18 @@
}
return $( "<li></li>" )
.data( "ui-autocomplete-item", item )
.append( "<a href=\"" + item.link + "\">" + item.surname + ", " + item.firstname + cardnumber + " <small>" + item.dateofbirth + " " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "</small></a>" )
.append(
"<a href=\"" + item.link + "\">" + ( item.surname ? item.surname.escapeHtml() : "" ) + ", "
+ ( item.firstname ? item.firstname.escapeHtml() : "" )
+ cardnumber.escapeHtml()
+ " <small>"
+ ( item.dateofbirth ? item.dateofbirth.escapeHtml() : "" ) + " "
+ ( item.address ? item.address.escapeHtml() : "" ) + " "
+ ( item.city ? item.city.escapeHtml() : "" ) + " "
+ ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + " "
+ ( item.country ? item.country.escapeHtml() : "" )
+ "</small>"
+ "</a>" )
.appendTo( ul );
};
}

21
koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt

@ -323,10 +323,23 @@
.data( "ui-autocomplete" )._renderItem = function( ul, item ) {
return $( "<li></li>" )
.data( "ui-autocomplete-item", item )
.append( "<a>" + item.surname + ", " + item.firstname +
" (" + item.cardnumber + ") <small>" + item.address +
" " + item.city + " " + item.zipcode + " " +
item.country + "</small></a>" )
.append(
"<a>"
+ ( item.surname ? item.surname.escapeHtml() : "" )
+ ", "
+ ( item.firstname ? item.firstname.escapeHtml() : "" )
+ " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")"
+ " "
+ "<small>"
+ ( item.address ? item.address.escapeHtml() : "" )
+ " "
+ ( item.city ? item.city.escapeHtml() : "" )
+ " "
+ ( item.zipcode ? item.zipcode.escapeHtml() : "" )
+ " "
+ ( item.country ? item.country.escapeHtml() : "" )
+ "</small>"
+ "</a>" )
.appendTo( ul );
};
}

20
koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt

@ -169,7 +169,23 @@
.data( "ui-autocomplete" )._renderItem = function( ul, item ) {
return $( "<li></li>" )
.data( "ui-autocomplete-item", item )
.append( "<a>" + item.surname + ", " + item.firstname + " (" + item.cardnumber + ") <small>" + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "</small></a>" )
.append(
"<a>"
+ ( item.surname ? item.surname.escapeHtml() : "" )
+ ", "
+ ( item.firstname ? item.firstname.escapeHtml() : "" )
+ " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")"
+ " "
+ "<small>"
+ ( item.address ? item.address.escapeHtml() : "" )
+ " "
+ ( item.city ? item.city.escapeHtml() : "" )
+ " "
+ ( item.zipcode ? item.zipcode.escapeHtml() : "" )
+ " "
+ ( item.country ? item.country.escapeHtml() : "" )
+ "</small>"
+ "</a>" )
.appendTo( ul );
};
@ -186,7 +202,7 @@
});
function AddInstructor( name, borrowernumber ) {
div = "<div class='instructor_line' id='borrower_" + borrowernumber + "'>" + name + " ( <a href='#' class='removeInstructor'><i class='fa fa-trash'></i> " + _("Remove")+ " </a> ) <input type='hidden' name='instructors' value='" + borrowernumber + "' /></div>";
div = "<div class='instructor_line' id='borrower_" + borrowernumber + "'>" + ( name ? name.escapeHtml() : "" ) + " ( <a href='#' class='removeInstructor'><i class='fa fa-trash'></i> " + _("Remove")+ " </a> ) <input type='hidden' name='instructors' value='" + borrowernumber + "' /></div>";
$('#instructors').append( div );
$('#find_instructor').val('').focus();

21
koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt

@ -1320,10 +1320,23 @@
.data( "ui-autocomplete" )._renderItem = function( ul, item ) {
return $( "<li></li>" )
.data( "ui-autocomplete-item", item )
.append( "<a>" + item.surname + ", " + item.firstname +
" (" + item.cardnumber + ") <small>" + item.address +
" " + item.city + " " + item.zipcode + " " +
item.country + "</small></a>" )
.append(
"<a>"
+ ( item.surname ? item.surname.escapeHtml() : "" )
+ ", "
+ ( item.firstname ? item.firstname.escapeHtml() : "" )
+ " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")"
+ " "
+ "<small>"
+ ( item.address ? item.address.escapeHtml() : "" )
+ " "
+ ( item.city ? item.city.escapeHtml() : "" )
+ " "
+ ( item.zipcode ? item.zipcode.escapeHtml() : "" )
+ " "
+ ( item.country ? item.country.escapeHtml() : "" )
+ "</small>"
+ "</a>" )
.appendTo( ul );
};
[% END %]

Loading…
Cancel
Save