Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/opac
History
Michał Górny 3241671cdd
Bug 34023: Prevent HTML injection in "back to results" link from search page 
It is possible inject raw HTML into the "Back to search results" link by leading the user to a search with specially crafted URL.

For example, using the demo instance:

1. Visit https://koha.adminkuhn.ch/cgi-bin/koha/opac-search.pl?idx=&q=test&weight_search=1&%22%3Etest%3Ca%20foo=%22

2. Refresh the page (for some reason, "back to results" doesn't appear unless I do that at least once).

3. Click any result.

Note that the result page now contains:

  <a href="opac-search.pl?idx=&amp;q=test&amp;weight_search=1&amp;">test<a foo=%22" title="...

i.e. `">test<a ...` was successfully injected into the HTML.

I'm attaching a quick patch I've used to patch up our instance.  It just indiscriminately URI-escapes all parameter keys.  I didn't decode them back since as far as I understand all valid keys do not contain special characters.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-08-07 21:00:04 -03:00
..
clubs
errors
external/overdrive
sci
sco Bug 33444: Update AddRenewal to take a hashref of params 2023-07-19 12:06:52 -03:00
svc Bug 25079: Add a 'edit' functionality to the Clubs tool in the staff interface 2023-06-23 11:00:49 -03:00
ilsdi.pl Bug 30944: Undo change to ILS-DI documentation 2022-10-03 13:44:11 -03:00
maintenance.pl
oai.pl
opac-account-pay-return.pl
opac-account-pay.pl
opac-account.pl
opac-addbybiblionumber.pl Bug 30418: Add ability for permitted staff to edit list contents 2023-05-15 18:23:57 -03:00
opac-alert-subscribe.pl
opac-article-request-cancel.pl
opac-authorities-home.pl Bug 33803: Remove comment about tab width 2023-06-06 09:58:47 -03:00
opac-authoritiesdetail.pl Bug 21330: Allow XSLT for authority detail view in OPAC 2023-05-15 18:24:03 -03:00
opac-basket.pl Bug 33102: Display fields from biblioitems in OPAC/staff interface cart 2023-05-05 17:45:19 -03:00
opac-blocked.pl
opac-browse.pl
opac-browser.pl
opac-changelanguage.pl
opac-course-details.pl Bug 32445: (follow-up) Fix availability display on opac-course-details 2023-01-05 09:09:48 -03:00
opac-course-reserves.pl
opac-curbside-pickups.pl Bug 30650: Prevent pickup to be created on holiday 2022-07-29 15:00:51 -03:00
opac-detail.pl Bug 34218: Send a record copy to avoid loss of information and display problems 2023-07-10 15:43:16 -03:00
opac-discharge.pl
opac-dismiss-message.pl Bug 12029: Remove 'params' from filter_by_unread 2023-04-20 15:48:47 -03:00
opac-downloadcart.pl Bug 29697: Use flag embed_items 2022-07-22 15:24:11 -03:00
opac-downloadshelf.pl Bug 33069: Fix error in MARC download for OPAC lists 2023-05-09 10:57:55 -03:00
opac-export.pl Bug 29697: Use flag embed_items 2022-07-22 15:24:11 -03:00
opac-holdshistory.pl
opac-ics.pl Bug 30927: Improve formatting or iCal files for checkout due dates 2022-08-09 07:39:17 -03:00
opac-idref.pl
opac-illrequests.pl Bug 33702: (QA follow-up) Do not crash on borrowernumber 2023-05-29 09:21:51 -03:00
opac-image.pl Bug 33047: Return 404 instead of 500 when biblio does not exist 2023-07-10 15:43:14 -03:00
opac-imageviewer.pl
opac-ISBDdetail.pl
opac-issue-note.pl
opac-library.pl Bug 31775: Show single library 2022-10-17 08:25:55 -03:00
opac-main.pl Bug 29691: Use template to display news on opac homepage 2023-06-15 08:48:13 -03:00
opac-MARCdetail.pl Bug 23247: Use EmbedItems in opac-MARCdetail.pl 2023-02-20 09:44:15 -03:00
opac-memberentry.pl Bug 33197: Rename GDPR_Policy system preference 2023-05-05 10:18:54 -03:00
opac-messaging.pl Bug 31743: Change condition for messaging tab 2022-11-04 20:01:13 -03:00
opac-modrequest-suspend.pl
opac-modrequest.pl Bug 14783: (QA follow-up) Rename method and move tests 2022-10-17 15:43:22 -03:00
opac-mymessages.pl
opac-news-rss.pl
opac-overdrive-search.pl
opac-page.pl Bug 32251: Add a fallback for when language cookie was removed 2023-01-27 16:20:24 -03:00
opac-passwd.pl
opac-password-recovery.pl Bug 31739: Password recovery from staff fails if previous expired reset-entry exists. 2022-10-24 14:12:16 -03:00
opac-patron-consent.pl Bug 33197: Rename GDPR_Policy system preference 2023-05-05 10:18:54 -03:00
opac-patron-image.pl
opac-privacy.pl
opac-ratings.pl
opac-readingrecord.pl Bug 33951: (QA follow-up) Import GetNormalizedOCLCNumber 2023-06-08 09:02:17 -03:00
opac-recall.pl
opac-recalls.pl
opac-registration-verify.pl Bug 33192: Update all occurrences of AutoEmailPrimaryAddress 2023-04-14 11:35:39 -03:00
opac-renew.pl Bug 33444: Update AddRenewal to take a hashref of params 2023-07-19 12:06:52 -03:00
opac-reportproblem.pl
opac-request-article.pl
opac-reserve.pl Bug 34178: Cache ItemsAnyAvailableAndNotRestricted in memory and don't precalculate 2023-07-19 13:00:42 -03:00
opac-reset-password.pl
opac-restrictedpage.pl
opac-retrieve-file.pl
opac-review.pl
opac-routing-lists.pl
opac-search-history.pl
opac-search.pl Bug 34023: Prevent HTML injection in "back to results" link from search page 2023-08-07 21:00:04 -03:00
opac-sendbasket.pl Bug 33223: Replace 'first_valid' with 'notice' for email addresses 2023-05-16 15:17:35 -03:00
opac-sendshelf.pl Bug 33223: Fix sendshelf 2023-05-16 15:17:36 -03:00
opac-serial-issues.pl
opac-shareshelf.pl
opac-shelves.pl Bug 30418: Add ability for permitted staff to edit list contents 2023-05-15 18:23:57 -03:00
opac-showmarc.pl
opac-showreviews.pl Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
opac-suggestions.pl Bug 33236: Move NewSuggestion to Koha::Suggestion->store 2023-06-06 10:08:35 -03:00
opac-tags.pl Bug 28375: (follow-up) Use C4::Context->interface 2022-10-20 11:50:53 -03:00
opac-tags_subject.pl
opac-topissues.pl
opac-user.pl Bug 33956: Use Koha::Biblio->opac_summary_html from opac-user.pl 2023-07-13 15:19:39 -03:00
tracklinks.pl Bug 30262: Trim whitespace off tracklinks.pl URLs 2022-08-31 08:46:11 -03:00
unapi