From d2d365ca830345b9a519158f6d735d2abd125380 Mon Sep 17 00:00:00 2001
From: Chris Cormack <chrisc@catalyst.net.nz>
Date: Thu, 5 Dec 2013 10:09:20 +1300
Subject: [PATCH] Bug 11341: fix XSS bug in opac-search.pl (facets)

This patch fixes the prog theme; the bootstrap theme already
does the necessary filtering.

To test
1/ Craft a url like
 cgi-bin/koha/opac-search.pl?idx=kw&q=fish&offset=20" onmouseover%3dprompt(994000) bad%3d"
 (the search must return enough results to have a show more link in the facets)

2/ Check the source, or mouseover the Show more links in the facets
   Notice the code is executable

3/ Apply patch - notice it is no longer executable

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
---
 koha-tmpl/opac-tmpl/prog/en/includes/opac-facets.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/opac-tmpl/prog/en/includes/opac-facets.inc b/koha-tmpl/opac-tmpl/prog/en/includes/opac-facets.inc
index 04a18c6cff..414189659c 100644
--- a/koha-tmpl/opac-tmpl/prog/en/includes/opac-facets.inc
+++ b/koha-tmpl/opac-tmpl/prog/en/includes/opac-facets.inc
@@ -22,7 +22,7 @@
 [% IF ( facets_loo.type_label_Location ) %]Locations[% END %]
 <ul>
         [% FOREACH facet IN facets_loo.facets %]<li><a href="/cgi-bin/koha/opac-search.pl?[% query_cgi |html %][% limit_cgi |html %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |html %][% END %]&amp;limit=[% facet.type_link_value %]:[% facet.facet_link_value %]" title="[% facet.facet_title_value |html %]">[% facet.facet_label_value %]</a> [% IF ( displayFacetCount ) %]([% facet.facet_count %])[% END %]</li>[% END %][% IF ( facets_loo.expandable ) %]
-        <li class="showmore"><a href="/cgi-bin/koha/opac-search.pl?[% query_cgi |html %][% limit_cgi |html %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |html %][% END %][% IF ( offset ) %]&amp;offset=[% offset %][% END %]&amp;expand=[% facets_loo.expand %]#[% facets_loo.type_id %]">Show more</a></li>
+        <li class="showmore"><a href="/cgi-bin/koha/opac-search.pl?[% query_cgi |html %][% limit_cgi |html %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |html %][% END %][% IF ( offset ) %]&amp;offset=[% offset |html %][% END %]&amp;expand=[% facets_loo.expand %]#[% facets_loo.type_id %]">Show more</a></li>
 [% END %]
 </ul></li>
 [% END %]
-- 
2.20.1