Browse Source

Bug 19128: Fix Stored XSS in patron-attr-types.pl, authorised_values.pl and categories.pl

Preparation:
- Add a branch with script in the branch name
- Add a patron category with script in the category name
- Add a new authorised value cateogory with script
- Add a new authroised value for this category with script
  in all possible fields

- Test editing patron categories
- Test editing patron attribute types
- Test viewing and editing authorised values

Verify that with this script there is no more script executed
and everything works fine.

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
17.11.x
Katrin Fischer 5 years ago
committed by Jonathan Druart
parent
commit
b4608887f6
  1. 18
      koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt
  2. 4
      koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt
  3. 10
      koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt

18
koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt

@ -109,9 +109,9 @@ $(document).ready(function() {
<option value="">All libraries</option>
[% FOREACH branch IN branches_loop %]
[% IF ( branch.selected ) %]
<option selected="selected" value="[% branch.branchcode %]">[% branch.branchname %]</option>
<option selected="selected" value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
[% ELSE %]
<option value="[% branch.branchcode %]">[% branch.branchname %]</option>
<option value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
[% END %]
[% END %]
</select>
@ -164,7 +164,7 @@ $(document).ready(function() {
[% IF op == 'list' %]
<div id="toolbar" class="btn-toolbar">
<a id="addauth" class="btn btn-default btn-sm" href= "/cgi-bin/koha/admin/authorised_values.pl?op=add_form&amp;category=[% category %]"><i class="fa fa-plus"> </i> New authorized value for [% category %]</a>
<a id="addauth" class="btn btn-default btn-sm" href= "/cgi-bin/koha/admin/authorised_values.pl?op=add_form&amp;category=[% category %]"><i class="fa fa-plus"> </i> New authorized value for [% category |html %]</a>
<a id="addcat" class="btn btn-default btn-sm" href= "/cgi-bin/koha/admin/authorised_values.pl?op=add_form"><i class="fa fa-plus"> </i> New category</a>
</div>
@ -207,9 +207,9 @@ $(document).ready(function() {
<select name="searchfield" id="searchfield" size="1">
[% FOR c IN categories %]
[% IF c == searchfield %]
<option value="[% c %]" selected="selected">[% c %]</option>
<option value="[% c %]" selected="selected">[% c |html %]</option>
[% ELSE %]
<option value="[% c %]">[% c %]</option>
<option value="[% c %]">[% c |html %]</option>
[% END %]
[% END %]
<input type="submit" value="Submit" />
@ -250,7 +250,7 @@ $(document).ready(function() {
[% IF ( category == 'NOT_LOAN' ) %]
<p>Statuses to describe why an item is not for loan</p>
[% END %]
<h3>Authorized values for category [% category %]:</h3>
<h3>Authorized values for category [% category |html %]:</h3>
[% IF ( loop ) %]<div id="pagertable_authorized_values">
</div>[% END %]
@ -272,8 +272,8 @@ $(document).ready(function() {
<tr>
[% END %]
<td>[% loo.authorised_value %]</td>
<td>[% loo.lib %]</td>
<td>[% loo.lib_opac %]</td>
<td>[% loo.lib |html %]</td>
<td>[% loo.lib_opac |html %]</td>
<td>[% IF ( loo.imageurl ) %]<img src="[% loo.imageurl %]" alt=""/>[% ELSE %]&nbsp;[% END %]</td>
<td>
[% IF loo.branches.size > 0 %]
@ -296,7 +296,7 @@ $(document).ready(function() {
</tr>
[% END %]
</tbody></table>[% ELSE %]
<div class="dialog message">There are no authorized values defined for [% category %]</div>
<div class="dialog message">There are no authorized values defined for [% category |html %]</div>
[% END %]
[% IF ( isprevpage ) %]

4
koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt

@ -160,9 +160,9 @@
<option value="">All branches</option>
[% FOREACH branch IN branches_loop %]
[% IF branch.selected %]
<option selected="selected" value="[% branch.branchcode %]">[% branch.branchname %]</option>
<option selected="selected" value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
[% ELSE %]
<option value="[% branch.branchcode %]">[% branch.branchname %]</option>
<option value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
[% END %]
[% END %]
</select>

10
koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt

@ -170,9 +170,9 @@ $(document).ready(function() {
<option value="">All branches</option>
[% FOREACH branch IN branches_loop %]
[% IF ( branch.selected ) %]
<option selected="selected" value="[% branch.branchcode %]">[% branch.branchname %]</option>
<option selected="selected" value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
[% ELSE %]
<option value="[% branch.branchcode %]">[% branch.branchname %]</option>
<option value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
[% END %]
[% END %]
</select>
@ -184,7 +184,7 @@ $(document).ready(function() {
<select name="category_code" id="category">
<option value=""></option>
[% FOREACH cat IN categories %]
[% IF ( cat.categorycode == category_code ) %]<option value="[% cat.categorycode %]" selected="selected">[% cat.description %]</option>[% ELSE %]<option value="[% cat.categorycode %]">[% cat.description %]</option>[% END %]
[% IF ( cat.categorycode == category_code ) %]<option value="[% cat.categorycode %]" selected="selected">[% cat.description |html %]</option>[% ELSE %]<option value="[% cat.categorycode %]">[% cat.description |html %]</option>[% END %]
[% END %]
</select>
<span>Choose one to limit this attribute to one patron type. Please leave blank if you want these attributes to be available for all types of patrons.</span>
@ -196,11 +196,11 @@ $(document).ready(function() {
[% FOREACH class IN classes_val_loop %]
[% IF class.authorised_value == category_class %]
<option value="[% class.authorised_value %]" selected="selected">
[% class.lib %]
[% class.lib |html %]
</option>
[% ELSE %]
<option value="[% class.authorised_value %]" >
[% class.lib %]
[% class.lib |html %]
</option>
[% END %]
[% END %]

Loading…
Cancel
Save