Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt
Liz 52fe123891 Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves 
A specially crafted url causes XSS in Koha

To test:

cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E

cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves

These should cause a popup without the patch. With the patch, no popup.

You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
have permission to view them.

Signed-off-by: Chris <chris@bigballofwax.co.nz>

Fixes the two listed problems

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed patch fixes the problem.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-01-22 16:35:47 -03:00

118 lines
6.1 KiB
Text
Raw Blame History

[% USE Koha %]
[% IF ( fullpage ) %]
[% INCLUDE 'doc-head-open.inc' %][% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo; Download list [% shelfname %][% INCLUDE 'doc-head-close.inc' %]
[% BLOCK cssinclude %][% END %]
</head>
[% INCLUDE 'bodytag.inc' bodyid='opac-downloadlist' %]
[% INCLUDE 'masthead.inc' %]
<div class="main">
<ul class="breadcrumb">
<li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
[% IF ( loggedinusername ) %]
<li><a href="/cgi-bin/koha/opac-user.pl">[% FOREACH USER_INF IN USER_INFO %][% USER_INF.title %] [% USER_INF.firstname %] [% USER_INF.surname %][% END %]</a> <span class="divider">&rsaquo;</span></li>
[% END %]
<li>
[% IF ( showprivateshelves ) %]
<a href="/cgi-bin/koha/opac-shelves.pl">Your lists</a>
[% ELSE %]
<a href="/cgi-bin/koha/opac-shelves.pl?display=publicshelves">Public lists</a>
[% END %]
<span class="divider">&rsaquo;</span>
</li>
<li>Download list <i>[% shelfname %]</i></li>
</ul>
<div class="container-fluid">
<div class="row-fluid">
[% IF ( OpacNav||loggedinusername ) %]
<div class="span2">
<div id="navigation">
[% INCLUDE 'navigation.inc' IsPatronPage=1 %]
</div>
</div>
[% END %]
[% IF ( OpacNav||loggedinusername ) %]
<div class="span10">
[% ELSE %]
<div class="span12">
[% END %]
[% END # / IF fullpage %]
<div id="userdownloadshelf" class="maincontent">
[% UNLESS ( invalidlist ) %]
[% IF ( format ) %]
<div class="alert alert-info">
<p>Your download should begin automatically.</p>
</div>
[% ELSE %]
<h1>Download list <i>[% shelfname %]</i></h1>
<form method="post" action="/cgi-bin/koha/opac-downloadshelf.pl">
<fieldset>
<select name="format" id="dlformat" required="required">
<option value="">-- Choose format --</option>
<option value="ris">RIS (Zotero, EndNote, others)</option>
<option value="bibtex">BibTeX</option>
<option value="iso2709">MARC</option>
[% FOREACH csv_profile IN csv_profiles %]
<option value="[% csv_profile.export_format_id |html %]">CSV - [% csv_profile.profile |html %]</option>
[% END %]
</select>
<span class="required">Required</span>
</fieldset>
<fieldset class="action">
<input type="hidden" name="shelfid" value="[% shelfid | html %]" />
<input type="submit" name="save" class="btn" value="Go" />
<a href="/cgi-bin/koha/opac-shelves.pl?viewshelf=[% shelfid | html %]" class="cancel close" data-dismiss="modal">Cancel</a>
</fieldset>
</form>
[% IF ( modal ) %]
<script type="text/javascript">
//<![CDATA[
$(document).ready(function(){
$("#userdownloadshelf form").on("submit",function(e){
if( $("#dlformat").val() == "" ){
e.preventDefault();
alert(_("Please choose a download format"));
} else {
$("#modalWin").modal("hide");
}
});
});
//]]>
</script>
[% END %]
[% END # / IF format %]
[% ELSE %]
<div class="alert">
<p>You do not have permission to download this list.</p>
</div>
[% END # / invalidlist %]
</div> <!-- / #userdownloadshelf -->
[% IF ( fullpage ) %]
</div> <!-- / .span10 -->
</div> <!-- / .row-fluid -->
</div> <!-- / .container-fluid -->
</div> <!-- / .main -->
[% INCLUDE 'opac-bottom.inc' %]
[% BLOCK jsinclude %]
<script type="text/javascript">
//<![CDATA[
$(document).ready(function(){
$("#userdownloadshelf form").on("submit",function(e){
if( $("#dlformat").val() == "" ){
e.preventDefault();
alert(_("Please choose a download format"));
}
});
});
//]]>
</script>
[% END %]
[% END # / IF fullpage %]
View git blame Copy permalink