From 858ca2ac2bdb6c48f7c2dd3fd99613ba204981f5 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 1 Oct 2020 11:22:46 +0200 Subject: [PATCH] Bug 26592: [19.05] Prevent XSS vulnerabilities when circ/ysearch.pl is used Signed-off-by: Victor Grousset/tuxayo --- .../prog/en/includes/js_includes.inc | 4 ++-- .../prog/en/modules/circ/request-article.tt | 21 +++++++++++++++---- .../prog/en/modules/course_reserves/course.tt | 20 ++++++++++++++++-- .../prog/en/modules/reserve/request.tt | 21 +++++++++++++++---- 4 files changed, 54 insertions(+), 12 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc index 5dbb968b2c..0a5161aa34 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc @@ -98,11 +98,11 @@ var cardnumber = ""; if( item.cardnumber != "" ){ // Display card number in parentheses if it exists - cardnumber = " (" + item.cardnumber + ") "; + cardnumber = " (" + ( item.cardnumber ? item.surname.escapeHtml() : "" ) + ") "; } return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + cardnumber + " " + item.dateofbirth + " " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "" ) + .append( "" + ( item.surname ? item.surname.escapeHtml() : "" ) + ", " + ( item.firstname ? item.firstname.escapeHtml : "" ) + ( cardnumber ? cardnumber.escapeHtml() : "" ) + " " + ( item.dateofbirth ? item.dateofbirth.escapeHtml() : "" ) + " " + ( item.address ? item.address.escapeHtml() : "" ) + " " + ( item.city ? item.city.escapeHtml() : "" ) + " " + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + " " + ( item.country ? item.country.escapeHtml() : "" ) + "" ) .appendTo( ul ); }; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt index fdc8d7c6ee..c1ece89281 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt @@ -323,10 +323,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + - " (" + item.cardnumber + ") " + item.address + - " " + item.city + " " + item.zipcode + " " + - item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt index a47195d8bf..2111675ee5 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt @@ -169,7 +169,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + " (" + item.cardnumber + ") " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; @@ -186,7 +202,7 @@ }); function AddInstructor( name, borrowernumber ) { - div = "
    " + name + " ( " + _("Remove")+ " )
    "; + div = "
    " + ( name ? name.escapeHtml() : "" ) + " ( " + _("Remove")+ " )
    "; $('#instructors').append( div ); $('#find_instructor').val('').focus(); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt index 5a96a1f3b5..0fc4454401 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt @@ -902,10 +902,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + - " (" + item.cardnumber + ") " + item.address + - " " + item.city + " " + item.zipcode + " " + - item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; [% END %] -- 2.39.5