From 9179e5b707673d8c9b16f842dc3abffede36b1be Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:41:13 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: authorities/blinddetail-biblio-search.tt Test the process of searching for and selecting an authority record for use in the basic MARC editor. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit 57a2a82c504815d5d8e95c20be43611d96abcf13) Signed-off-by: Victor Grousset/tuxayo (cherry picked from commit 2631c0bcb7a90beaf62ce1401769c4c64f78c0b5) Signed-off-by: Wainui Witika-Park --- .../modules/authorities/blinddetail-biblio-search.tt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt index 6822225ea9..f30bba6ba6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt @@ -30,12 +30,12 @@ var new_line = ""; [% ELSE %] var new_line = " - [%- FOREACH SUBFIELD_LOO IN SUBFIELD_LOOP -%]‡ - [%- SUBFIELD_LOO.marc_subfield |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r ') | html -%] - [%- FOREACH marc_value IN SUBFIELD_LOO.marc_values -%] - [%- marc_value |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html -%] - [%- END -%] - [%- END -%]‡9[% authid | html %]"; + [%- FOREACH SUBFIELD_LOO IN SUBFIELD_LOOP -%]‡ + [%- To.json( SUBFIELD_LOO.marc_subfield ) | html -%] + [%- FOREACH marc_value IN SUBFIELD_LOO.marc_values -%] + [%- To.json( marc_value ) | html -%] + [%- END -%] + [%- END -%]‡9[% authid | html %]"; [% END %] RancorReplaceField( new_line, "[% indicator1 | html %]", "[% indicator2 | html %]" ); [% ELSE %] -- 2.39.5