From 1d0d5f1398687ead3a17cd40f74f879e8ddf9a9d Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 29 Sep 2016 08:46:49 +0100 Subject: [PATCH] Bug 17365: Fix XSS in moremember.pl and memberentry.pl There are certainly hundred of places where they are not escaped... Test plan: Create a patron with "Arun " in some of the fields. Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Brendan Gallagher --- .../prog/en/includes/circ-menu.inc | 14 ++--- .../prog/en/includes/members-toolbar.inc | 2 +- .../prog/en/includes/patron-title.inc | 16 +++--- .../prog/en/modules/members/memberentrygen.tt | 46 ++++++++-------- .../prog/en/modules/members/moremember.tt | 52 +++++++++---------- 5 files changed, 65 insertions(+), 65 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc index 56d3ae60ff..a90ad67336 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc @@ -8,9 +8,9 @@
    [% IF ( patronimages ) %] [% IF ( picture ) %] -
  • [% firstname %] [% surname %] ([% cardnumber %])
    • +
  • [% firstname | html %] [% surname | html %] ([% cardnumber | html %])
    • [% ELSE %] -
  • [% firstname %] [% surname %] ([% cardnumber %])
    • +
  • [% firstname | html %] [% surname | html %] ([% cardnumber | html %])
    • [% END %] [% END %] [% IF Koha.Preference( 'AddressFormat' ) %] @@ -20,21 +20,21 @@ [% END %] [% IF ( phone ) %]
  • - [% phone %] + [% phone | html %] [% ELSE %] [% IF ( mobile ) %] - [% mobile %] + [% mobile | html %] [% ELSE %] [% IF ( phonepro ) %] - [% phonepro %] + [% phonepro | html %] [% END %] [% END %]
    • [% END %] [% IF ( email ) %] - + [% ELSE %] [% IF ( emailpro ) %] - + [% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc index b9d97acd09..bb8b68ddf9 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc @@ -223,7 +223,7 @@ function searchToHold(){ [% bor_notes = AuthorisedValues.Get( 'BOR_NOTES' ) %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-title.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-title.inc index dbcab25ef1..caf45d6a15 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-title.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-title.inc @@ -1,27 +1,27 @@ [%- IF ( borrower.borrowernumber ) %] [%- IF borrower.category_type == 'I' %] - [%- borrower.surname %] [% IF borrower.othernames %] ([% borrower.othernames %]) [% END %] + [%- borrower.surname | html %] [% IF borrower.othernames %] ([% borrower.othernames | html %]) [% END %] [%- ELSE %] [%- IF invert_name %] - [%- borrower.surname %], [% borrower.firstname %] [% IF borrower.othernames %] ([% borrower.othernames %]) [% END %] + [%- borrower.surname | html %], [% borrower.firstname | html %] [% IF borrower.othernames %] ([% borrower.othernames | html %]) [% END %] [%- ELSE %] - [%- borrower.firstname %] [% IF borrower.othernames %] ([% borrower.othernames %]) [% END %] [% borrower.surname %] + [%- borrower.firstname | html %] [% IF borrower.othernames %] ([% borrower.othernames | html %]) [% END %] [% borrower.surname | html %] [%- END -%] [%- END -%] [%- IF ( borrower.cardnumber ) -%] - ([% borrower.cardnumber %]) + ([% borrower.cardnumber | html %]) [%- END %] [%- ELSIF ( borrowernumber ) %] [%- IF category_type == 'I' %] - [%- surname %] [% IF othernames %] ([% othernames %]) [% END %] + [%- surname | html %] [% IF othernames %] ([% othernames | html %]) [% END %] [%- ELSE %] [%- IF invert_name %] - [%- surname %], [% firstname %] [% IF othernames %] ([% othernames %]) [% END %] + [%- surname | html %], [% firstname | html %] [% IF othernames %] ([% othernames | html %]) [% END %] [%- ELSE %] - [%- firstname %] [% IF othernames %] ([% othernames %]) [% END %] [% surname %] + [%- firstname | html %] [% IF othernames %] ([% othernames | html %]) [% END %] [% surname | html %] [%- END %] [%- END -%] [%- IF ( cardnumber ) -%] - ([% cardnumber %]) + ([% cardnumber | html %]) [%- END %] [%- END -%] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt index 82418ffb01..c5a3696448 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt @@ -107,7 +107,7 @@ $(document).ready(function() { [% INCLUDE 'patron-search.inc' %] [% IF ( opadd ) %]
    [% ELSE %]
    [% END %] @@ -129,7 +129,7 @@ $(document).ready(function() { [% INCLUDE 'noadd-warnings.inc' %] [% UNLESS ( no_add ) %] -

    [% IF ( opadd ) %]Add[% ELSIF ( opduplicate ) %]Duplicate[% ELSE %] Modify[% END %] patron [% IF (firstname) %][% firstname %] [% END %][% IF (surname) %][% surname %] [% END %]([%IF ( categoryname ) %][% categoryname %][% ELSE %][% IF ( I ) %]Organization[% END %][% IF ( A ) %]Adult[% END %][% IF ( C ) %]Child[% END %][% IF ( P ) %]Professional[% END %][% IF ( S ) %]Staff[% END %][% END %])

    +

    [% IF ( opadd ) %]Add[% ELSIF ( opduplicate ) %]Duplicate[% ELSE %] Modify[% END %] patron [% IF (firstname) %][% firstname | html %] [% END %][% IF (surname) %][% surname | html %] [% END %]([%IF ( categoryname ) %][% categoryname %][% ELSE %][% IF ( I ) %]Organization[% END %][% IF ( A ) %]Adult[% END %][% IF ( C ) %]Child[% END %][% IF ( P ) %]Professional[% END %][% IF ( S ) %]Staff[% END %][% END %])

    [% IF quickadd && opadd && !check_member %] Show full form @@ -304,7 +304,7 @@ $(document).ready(function() { - + [% IF ( mandatoryfirstname ) %]Required[% END %] [% END %] @@ -332,7 +332,7 @@ $(document).ready(function() { - + [% IF ( mandatoryinitials ) %]Required[% END %] [% END %] @@ -345,7 +345,7 @@ $(document).ready(function() { - + [% IF ( mandatoryothernames ) %]Required[% END %] [% IF ( I ) %][% END %] @@ -403,9 +403,9 @@ $(document).ready(function() { [% IF ( guarantorid ) %] [% contactname %] - + [% ELSE %] - + [% END %] [% ELSE %] @@ -422,9 +422,9 @@ $(document).ready(function() { [% IF ( guarantorid ) %] [% contactname %] - + [% ELSE %] - + [% END %] [% END %] @@ -433,9 +433,9 @@ $(document).ready(function() { [% IF ( guarantorid ) %] [% contactfirstname %] - + [% ELSE %] - + [% END %] [% END %] @@ -502,7 +502,7 @@ $(document).ready(function() { - + [% IF ( mandatoryphone ) %]Required[% END %]
    Shows on transit slips
    @@ -515,7 +515,7 @@ $(document).ready(function() { - + [% IF ( mandatoryphonepro ) %]Required[% END %] [% END %] @@ -527,7 +527,7 @@ $(document).ready(function() { - + [% IF ( mandatorymobile ) %]Required[% END %] [% END %] @@ -539,7 +539,7 @@ $(document).ready(function() { - + [% IF ( mandatoryemail ) %]Required[% END %]
    Shows on transit slips
    @@ -552,7 +552,7 @@ $(document).ready(function() { - + [% IF ( mandatoryemailpro ) %]Required[% END %] [% END %] @@ -564,7 +564,7 @@ $(document).ready(function() { - + [% IF ( mandatoryfax ) %]Required[% END %] [% END %] @@ -607,19 +607,19 @@ $(document).ready(function() { [% END %] Card number: [% IF minlength_cardnumber == maxlength_cardnumber %] - + [% IF ( mandatorycardnumber ) %]Required[% END %]
    Card number must be exactly [% minlength_cardnumber %] characters.
    [% ELSIF minlength_cardnumber && maxlength_cardnumber %] - + [% IF ( mandatorycardnumber ) %]Required[% END %]
    Card number must be between [% minlength_cardnumber %] and [% maxlength_cardnumber %] characters.
    [% ELSIF maxlength_cardnumber %] - + [% IF ( mandatorycardnumber ) %]Required[% END %]
    Card number can be up to [% maxlength_cardnumber %] characters.
    [% ELSE %] - + [% IF ( mandatorycardnumber ) %]Required[% END %]
    There is no minimum or maximum character length.
    [% END %] @@ -774,7 +774,7 @@ $(document).ready(function() { - +
    This message appears on this patron's user page in the OPAC
    [% IF ( mandatoryopacnote ) %]Required[% END %] @@ -787,7 +787,7 @@ $(document).ready(function() { - +
    This message displays when checking out to this patron
    [% IF ( mandatoryborrowernotes ) %]Required[% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt index c5325e1181..da0deca674 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt @@ -211,11 +211,11 @@ function validate1(date) { [% END %]

    [% UNLESS ( I ) %] - [% title %] [% firstname %] [% END %] [% surname %] ([% cardnumber %])

    + [% title | html %] [% firstname | html %] [% END %] [% surname | html %] ([% cardnumber | html %])
    - [% UNLESS ( I ) %][% IF ( othernames ) %]“[% othernames %]”[% END %] + [% UNLESS ( I ) %][% IF ( othernames ) %]“[% othernames | html %]”[% END %]
    [% IF Koha.Preference( 'AddressFormat' ) %] @@ -228,22 +228,22 @@ function validate1(date) {
      [% IF ( I ) %] - [% IF ( phonepro ) %]
    1. Organization phone: [% phonepro %]
      2. [% END %] - [% IF ( emailpro ) %][% END %] + [% IF ( phonepro ) %]
    2. Organization phone: [% phonepro | html %]
      3. [% END %] + [% IF ( emailpro ) %][% END %] [% ELSE %] - [% IF ( phone ) %]
    3. Primary phone: [% phone %]
      4. [% END %] - [% IF ( phonepro ) %]
    4. Secondary phone: [% phonepro %]
      5. [% END %] - [% IF ( mobile ) %]
    5. Other phone: [% mobile %]
      6. [% END %] + [% IF ( phone ) %]
    6. Primary phone: [% phone | html %]
      7. [% END %] + [% IF ( phonepro ) %]
    7. Secondary phone: [% phonepro | html %]
      8. [% END %] + [% IF ( mobile ) %]
    8. Other phone: [% mobile | html %]
      9. [% END %] [% END %] [% IF ( P ) %] - [% IF ( phone ) %]
    9. Primary phone: [% phone %]
      10. [% END %] - [% IF ( mobile ) %]
    10. Other phone: [% mobile %]
      11. [% END %] + [% IF ( phone ) %]
    11. Primary phone: [% phone | html %]
      12. [% END %] + [% IF ( mobile ) %]
    12. Other phone: [% mobile | html %]
      13. [% END %] [% END %] [% IF ( fax ) %]
    13. Fax: [% fax %]
      14. [% END %] [% UNLESS ( I ) %] - [% IF ( email ) %][% END %] - [% IF ( emailpro ) %][% END %] + [% IF ( email ) %][% END %] + [% IF ( emailpro ) %][% END %] [% END %] [% IF ( initials ) %]
    14. Initials: [% initials %]
      15. [% END %] [% IF ( dateofbirth ) %]
    15. Date of birth:[% dateofbirth | $KohaDates %] ([% age %] years)
      16. [% END %] @@ -255,7 +255,7 @@ function validate1(date) { Guarantees: @@ -263,9 +263,9 @@ function validate1(date) {
    16. Guarantor: [% IF guarantor.borrowernumber %] - [% guarantor.firstname %] [% guarantor.surname %] + [% guarantor.firstname | html %] [% guarantor.surname | html %] [% ELSE %] - [% guarantor.firstname %] [% guarantor.surname %] + [% guarantor.firstname | html %] [% guarantor.surname | html %] [% END %]
      17. [% END %] @@ -289,15 +289,15 @@ function validate1(date) {
      [% IF ( picture ) %] Manage patron image -
      To update the image for [% title %] [% surname %], select a new image file and click 'Upload.'
      Click the 'Delete' button to remove the current image. +
      To update the image for [% title | html %] [% surname | html %], select a new image file and click 'Upload.'
      Click the 'Delete' button to remove the current image. [% ELSE %] Upload patron image -
      [% title %] [% firstname %] [% surname %] does not currently have an image available. To import an image for [% title %] [% surname %], enter the name of an image file to upload. +
      [% title %] [% firstname | html %] [% surname | html %] does not currently have an image available. To import an image for [% title %] [% surname | html %], enter the name of an image file to upload. [% END %]
      Only PNG, GIF, JPEG, XPM formats are supported.
      - +
      1. @@ -455,15 +455,15 @@ function validate1(date) {

        Alternative contact

        -
        1. Surname: [% altcontactsurname %]
          2. -
        2. First name: [% altcontactfirstname %]
          3. -
        3. Address: [% altcontactaddress1 %]
          4. -
        4. Address 2: [% altcontactaddress2 %]
          5. -
        5. City: [% altcontactaddress3 %]
          6. - [% IF ( altcontactstate ) %]
        6. State: [% altcontactstate %]
          7. [% END %] -
        7. ZIP/Postal code: [% altcontactzipcode %]
          8. - [% IF ( altcontactcountry ) %]
        8. Country: [% altcontactcountry %]
          9. [% END %] - [% IF ( altcontactphone ) %]
        9. Phone: [% altcontactphone %]
          10. [% END %] +
          1. Surname: [% altcontactsurname | html %]
            2. +
          2. First name: [% altcontactfirstname | html %]
            3. +
          3. Address: [% altcontactaddress1 | html %]
            4. +
          4. Address 2: [% altcontactaddress2 | html %]
            5. +
          5. City: [% altcontactaddress3 | html %]
            6. + [% IF ( altcontactstate ) %]
          6. State: [% altcontactstate | html %]
            7. [% END %] +
          7. ZIP/Postal code: [% altcontactzipcode | html %]
            8. + [% IF ( altcontactcountry ) %]
          8. Country: [% altcontactcountry | html %]
            9. [% END %] + [% IF ( altcontactphone ) %]
          9. Phone: [% altcontactphone | html %]
            10. [% END %]
        Edit
        -- 2.20.1