From a2b2e94686e7aa8362fd5d89031052d1adf0a067 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:31:26 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: admin/preferences.tt Test that preference search term highlighting works correctly. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit 5df95693f93e1ef95f74eb4a118319e84ed7703e) Signed-off-by: Victor Grousset/tuxayo --- koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt index 961676261b..b659cf52fc 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt @@ -266,7 +266,7 @@ }); }); // This is here because of its dependence on template variables, everything else should go in js/pages/preferences.js - jpw - var to_highlight = "[% To.json( searchfield ) | $raw %]"; + var to_highlight = "[% To.json( searchfield ) | html %]"; var search_jumped = [% IF ( search_jumped ) %]true[% ELSE %]false[% END %]; [% Asset.js("lib/jquery/plugins/humanmsg.js") | $raw %] -- 2.39.5