David Cook
4e32b76198
</script> tags are interpreted in JSON strings as HTML, which can lead to XSS attacks. This patch puts HTML escaped JSON in the value of a hidden HTML element. The Javascript then takes the value as a string, parses it as JSON, and is able to use it to save search filters without triggering a XSS attack. This patch also adds DataTable's built-in HTML escaping for the query and limits on the admin UI for the search filters. Test plan: 0. Apply patch 1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters 2. Enable the system preference 3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 4. Click "Save search as filter" 5. Checkbox "Show in staff interface?" 6. Type "E-TEST" into box and click 'Save' 7. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 8. Click "E-TEST" under "Custom search filters" 9. Note that you see search results 10. Go to http://localhost:8081/cgi-bin/koha/admin/search_filters.pl 11. Note that for "E-TEST" you see a "Query" like {"operators":[],"operands":["e"],"indexes":[]} 12. Note that for "E-TEST" you see a "Limits" like {"limits":[]} Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> |
||
|---|---|---|
| .. | ||
| intranet-tmpl | ||
| opac-tmpl | ||