From 01e89903d269ab4ea86f980e9cc7ab8d1e3cfd26 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 17:26:18 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: unimarc_field_4XX.tt To test, edit a MARC framework to link a subfield to the unimarc_field_4XX.tt. The process of triggering the plugin and selecting a search result from the plugin popup should work correctly. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Andrew Fuerste-Henry --- .../value_builder/unimarc_field_4XX.tt | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/value_builder/unimarc_field_4XX.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/value_builder/unimarc_field_4XX.tt index c45ca625f7..7eea3d5103 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/value_builder/unimarc_field_4XX.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/value_builder/unimarc_field_4XX.tt @@ -169,55 +169,55 @@ var subfield = subfields[i+1]; if(code.value == '9'){ - subfield.value = "[% To.json( subfield_value_9 ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_9 ) | html %]"; } if(code.value == '0'){ - subfield.value = "[% To.json( subfield_value_0 ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_0 ) | html %]"; } if(code.value == 'a'){ - subfield.value = "[% To.json( subfield_value_a ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_a ) | html %]"; } if(code.value == 'c'){ - subfield.value = "[% To.json( subfield_value_c ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_c ) | html %]"; } if(code.value == 'd'){ - subfield.value = "[% To.json( subfield_value_d ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_d ) | html %]"; } if(code.value == 'e'){ - subfield.value = "[% To.json( subfield_value_e ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_e ) | html %]"; } if(code.value == 'h'){ - subfield.value = "[% To.json( subfield_value_h ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_h ) | html %]"; } if(code.value == 'i'){ - subfield.value = "[% To.json( subfield_value_i ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_i ) | html %]"; } if(code.value == 'l'){ - subfield.value = "[% To.json( subfield_value_l ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_l ) | html %]"; } if(code.value == 'n'){ - subfield.value = "[% To.json( subfield_value_n ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_n ) | html %]"; } if(code.value == 'o'){ - subfield.value = "[% To.json( subfield_value_o ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_o ) | html %]"; } if(code.value == 'p'){ - subfield.value = "[% To.json( subfield_value_p ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_p ) | html %]"; } if(code.value == 't'){ - subfield.value = "[% To.json( subfield_value_t ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_t ) | html %]"; } if(code.value == 'u'){ - subfield.value = "[% To.json( subfield_value_u ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_u ) | html %]"; } if(code.value == 'v'){ - subfield.value = "[% To.json( subfield_value_v ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_v ) | html %]"; } if(code.value == 'x'){ - subfield.value = "[% To.json( subfield_value_x ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_x ) | html %]"; } if(code.value == 'y'){ - subfield.value = "[% To.json( subfield_value_y ) | $raw %]"; + subfield.value = "[% To.json( subfield_value_y ) | html %]"; } } } -- 2.39.5