Koha/koha-tmpl at acf91323c5253db5058812628bca58193054c65b - Koha-community/Koha - Koha: The world's first free and open source library system

History

David Cook acf91323c5 Bug 34761: Prevent XSS for searches and saved search filters </script> tags are interpreted in JSON strings as HTML, which can lead to XSS attacks. This patch puts HTML escaped JSON in the value of a hidden HTML element. The Javascript then takes the value as a string, parses it as JSON, and is able to use it to save search filters without triggering a XSS attack. This patch also adds DataTable's built-in HTML escaping for the query and limits on the admin UI for the search filters. Test plan: 0. Apply patch 1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters 2. Enable the system preference 3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 4. Click "Save search as filter" 5. Checkbox "Show in staff interface?" 6. Type "E-TEST" into box and click 'Save' 7. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 8. Click "E-TEST" under "Custom search filters" 9. Note that you see search results 10. Go to http://localhost:8081/cgi-bin/koha/admin/search_filters.pl 11. Note that for "E-TEST" you see a "Query" like {"operators":[],"operands":["e"],"indexes":[]} 12. Note that for "E-TEST" you see a "Limits" like {"limits":[]} Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> (cherry picked from commit `4e32b76198`) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>	2023-09-26 21:25:13 -10:00
..
intranet-tmpl	Bug 34761: Prevent XSS for searches and saved search filters	2023-09-26 21:25:13 -10:00
opac-tmpl	Bug 34730: Add responsive behavior to more tables in the OPAC	2023-09-20 20:34:03 -10:00

David Cook acf91323c5 Bug 34761: Prevent XSS for searches and saved search filters

</script> tags are interpreted in JSON strings as HTML, which can
lead to XSS attacks.

This patch puts HTML escaped JSON in the value of a hidden HTML element.
The Javascript then takes the value as a string, parses it as JSON,
and is able to use it to save search filters without triggering a
XSS attack.

This patch also adds DataTable's built-in HTML escaping for the query
and limits on the admin UI for the search filters.

Test plan:
0. Apply patch
1. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters
2. Enable the system preference
3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
4. Click "Save search as filter"
5. Checkbox "Show in staff interface?"
6. Type "E-TEST" into box and click 'Save'
7. Go to
http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
8. Click "E-TEST" under "Custom search filters"
9. Note that you see search results
10. Go to
http://localhost:8081/cgi-bin/koha/admin/search_filters.pl
11. Note that for "E-TEST" you see a "Query" like
{"operators":[],"operands":["e"],"indexes":[]}
12. Note that for "E-TEST" you see a "Limits" like
{"limits":[]}

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 4e32b76198)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

2023-09-26 21:25:13 -10:00

intranet-tmpl Bug 34761: Prevent XSS for searches and saved search filters 2023-09-26 21:25:13 -10:00

opac-tmpl Bug 34730: Add responsive behavior to more tables in the OPAC 2023-09-20 20:34:03 -10:00