From a86de321f63fcd4b0c817848001163c647f3c2b6 Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Thu, 15 Aug 2024 19:57:42 -0700 Subject: [PATCH] Bug 37654: XSS in Batch record import for Citation column Viewing a staged MARC record batch loads a DataTable from /tools/batch_records_ajax.pl, and both batch_records_ajax.pl and the DataTable just trust the author/title/isbn/issn to be free of HTML. They shouldn't. Test plan: 1. Without this patch applied, download attachment 170418, then Cataloging - Stage records for import - Select the downloaded file - Upload file - Stage for import 2. When the background job completes, View batch - you'll get three alert()s from the title, author, and ISSN, and the author and ISSN displayed huge 3. Apply patch, restart_all 4. Manage staged records - click HTMLescapingimporttestrecord.mrc - get zero alerts and no

display Sponsored-by: Chetco Community Public Library Signed-off-by: David Cook Signed-off-by: Martin Renvoize Signed-off-by: wainuiwitikapark --- .../prog/en/modules/tools/manage-marc-import.tt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/manage-marc-import.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/manage-marc-import.tt index 29076b414f..9caab3bb0b 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/manage-marc-import.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/manage-marc-import.tt @@ -480,19 +480,19 @@ var additional_details = ""; if( aData['author'] ){ - additional_details += " " + aData['author'] + " "; + additional_details += " " + escape_str(aData['author']) + " "; } if( aData['isbn'] ){ - additional_details += " (" + aData['isbn'] + ") "; + additional_details += " (" + escape_str(aData['isbn']) + ") "; } if( aData['issn'] ){ - additional_details += " (" + aData['issn'] + ") "; + additional_details += " (" + escape_str(aData['issn']) + ") "; } $('td:eq(1)', nRow).html( - '' + aData['citation'] + ' ' + additional_details + '' + escape_str(aData['citation']) + ' ' + additional_details ); $('td:eq(2)', nRow).html( -- 2.39.5