From b4dbedbcd43ba2a3a4d6d2922e274a3c2afa5496 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:34:18 +0000 Subject: [PATCH] Bug 26102: [19.11] Prevent XSS when To.json is used: authorities/authorities.tt Check that mandatory tags and subfields are correctly required when editing an authority record. Signed-off-by: Wainui Witika-Park --- .../intranet-tmpl/prog/en/modules/authorities/authorities.tt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt index 29b373dd35..a5e668637e 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt @@ -1,5 +1,6 @@ [% USE raw %] [% USE Asset %] +[% USE To %] [% INCLUDE 'doc-head-open.inc' %] Koha › Authorities › [% IF ( authid ) %]Modify authority #[% authid | html %] ([% authtypetext | html %])[% ELSE %]Adding authority ([% authtypetext | html %])[% END %] [% INCLUDE 'doc-head-close.inc' %] @@ -69,7 +70,7 @@ function AreMandatoriesNotOk(){ [% FOREACH subfield_loo IN innerloo.subfield_loop %] [% IF ( subfield_loo.mandatory ) %]mandatories.push("[% subfield_loo.id | html %]"); tab.push("[% BIG_LOO.number | html %]"); - label.push("[% subfield_loo.marc_lib | $raw |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') %]"); + label.push("[% To.json(subfield_loo.marc_lib) | html %]"); [% END %] [% END %] [% END %] -- 2.39.5