From e3c0b076d3cd7c7952b11254a45c7f9c8ed1b2e3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 1 Oct 2020 11:22:46 +0200 Subject: [PATCH] Bug 26592: [19.11] Prevent XSS vulnerabilities when circ/ysearch.pl is used Signed-off-by: Aleisha Amohia (cherry picked from commit ca9c9225987814c1606f5241dfa1da3e267b177e) --- .../prog/en/includes/js_includes.inc | 17 ++++++++++++--- .../prog/en/modules/circ/request-article.tt | 21 +++++++++++++++---- .../prog/en/modules/course_reserves/course.tt | 20 ++++++++++++++++-- .../prog/en/modules/reserve/request.tt | 21 +++++++++++++++---- 4 files changed, 66 insertions(+), 13 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc index daf0dc7935..594f322598 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc @@ -98,11 +98,11 @@ var cardnumber = ""; if( item.cardnumber != "" ){ // Display card number in parentheses if it exists - cardnumber = " (" + item.cardnumber + ") "; + cardnumber = " (" + ( item.cardnumber ? item.surname.escapeHtml() : "" ) + ") "; } return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + cardnumber + " " + item.dateofbirth + " " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "" ) + .append( "" + ( item.surname ? item.surname.escapeHtml() : "" ) + ", " + ( item.firstname ? item.firstname.escapeHtml : "" ) + ( cardnumber ? cardnumber.escapeHtml() : "" ) + " " + ( item.dateofbirth ? item.dateofbirth.escapeHtml() : "" ) + " " + ( item.address ? item.address.escapeHtml() : "" ) + " " + ( item.city ? item.city.escapeHtml() : "" ) + " " + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + " " + ( item.country ? item.country.escapeHtml() : "" ) + "" ) .appendTo( ul ); }; } @@ -130,7 +130,18 @@ } return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + cardnumber + " " + item.dateofbirth + " " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "" ) + .append( + "" + ( item.surname ? item.surname.escapeHtml() : "" ) + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + cardnumber.escapeHtml() + + " " + + ( item.dateofbirth ? item.dateofbirth.escapeHtml() : "" ) + " " + + ( item.address ? item.address.escapeHtml() : "" ) + " " + + ( item.city ? item.city.escapeHtml() : "" ) + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt index e2257fc8e5..c65582918c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt @@ -323,10 +323,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + - " (" + item.cardnumber + ") " + item.address + - " " + item.city + " " + item.zipcode + " " + - item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt index a47195d8bf..2111675ee5 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt @@ -169,7 +169,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + " (" + item.cardnumber + ") " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; @@ -186,7 +202,7 @@ }); function AddInstructor( name, borrowernumber ) { - div = "
    " + name + " ( " + _("Remove")+ " )
    "; + div = "
    " + ( name ? name.escapeHtml() : "" ) + " ( " + _("Remove")+ " )
    "; $('#instructors').append( div ); $('#find_instructor').val('').focus(); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt index bedf765abe..46cd969899 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt @@ -1243,10 +1243,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + - " (" + item.cardnumber + ") " + item.address + - " " + item.city + " " + item.zipcode + " " + - item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; [% END %] -- 2.39.5