From 55c003f4afb0d32c4b5e320c728eae7c566cd82d Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:57:48 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: catalogue/results.tt To test, perform a search in the catalogue and verify that search term highlighting works correctly. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit 0de86fd323545796d57d2e289c10a33970050716) Signed-off-by: Victor Grousset/tuxayo (cherry picked from commit 2a56d56f434c777b017c300cb906964ae15f52f4) Signed-off-by: Wainui Witika-Park --- .../prog/en/modules/catalogue/results.tt | 317 ++---------------- 1 file changed, 23 insertions(+), 294 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt index 68e5388e31..e91c1fac79 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt @@ -694,301 +694,30 @@ verify_images(); }); [% END %] - var Sticky; - $(document).ready(function() { - - $(".moretoggle").click(function(e) { - e.preventDefault(); - $(this).siblings(".collapsible-facet").toggle(); - $(this).siblings(".moretoggle").toggle(); - $(this).toggle(); - }); - - Sticky = $("#searchheader"); - Sticky.hcSticky({ - stickTo: "main", - stickyClass: "floating" - }); - - $("#cartsubmit").click(function(e){ - e.preventDefault(); - addMultiple(); - }); - - $(".addtolist").on("click",function(e){ - e.preventDefault(); - var shelfnumber = $(this).data("shelfnumber"); - var vshelf = vShelfAdd(); - if( vshelf ){ - if( $(this).hasClass("morelists") ){ - openWindow('/cgi-bin/koha/virtualshelves/addbybiblionumber.pl?' + vshelf); - } else if( $(this).hasClass("newlist") ){ - openWindow('/cgi-bin/koha/virtualshelves/addbybiblionumber.pl?newshelf=1&' + vshelf); - } else { - openWindow('/cgi-bin/koha/virtualshelves/addbybiblionumber.pl?shelfnumber='+shelfnumber+'&confirm=1&' + vshelf); - } - } - }); - - $("#z3950submit").click(function(){ - PopupZ3950(); - return false; - }); - - $("#searchheader").on("click", ".browse_selection", function(){ - browse_selection(); - return false; - }); - - $("#searchheader").on("click",".placehold", function(){ - $("#holdFor").val(""); - $("#holdForClub").val(""); - placeHold(); - $(".btn-group").removeClass("open"); - return false; - }); - - $(".placeholdfor").click(function(){ - holdForPatron(); - $(".btn-group").removeClass("open"); - return false; - }); - - $(".placeholdforclub").click(function(){ - holdForClub(); - $(".btn-group").removeClass("open"); - return false; - }); - - $("#forgetholdfor, #forgetholdforclub").click(function(){ - forgetPatronAndClub(); - $(".btn-group").removeClass("open"); - return false; - }); - - $("#tagsel_span").html(""); - - $(".selection").show(); - - [% IF ( query_desc ) %] - toHighlight = $("p,span.results_summary,a.title"); - var query_desc = "[% query_desc |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; - q_array = query_desc.split(" "); - // ensure that we don't have "" at the end of the array, which can - // break the highlighter - while (q_array.length > 0 && q_array[q_array.length-1] == "") { - q_array = q_array.splice(0,-1); - } - highlightOn(); - $("#highlight_toggle_on" ).hide().click(function(e) { - e.preventDefault(); - highlightOn(); - }); - $("#highlight_toggle_off").show().click(function(e) { - e.preventDefault(); - highlightOff(); - }); - [% END %] - - [% IF (SEARCH_RESULTS) %] - var newresults = [ - [%- FOREACH result IN SEARCH_RESULTS -%] - [%- result.biblionumber | html %], - [%- END -%] - ]; - var browser = KOHA.browser('[% searchid | html %]', parseInt('[% biblionumber | html %]', 10)); - browser.create([% SEARCH_RESULTS.first.result_number | html %], '[% query_cgi | html %]', '[% limit_cgi | html %]','[% sort_cgi | html %]', - newresults, '[% total | html %]'); - [% END %] - - [% IF (gotoPage && gotoNumber) %] - [% IF (gotoNumber == 'first') %] - window.location = '/cgi-bin/koha/catalogue/[% gotoPage | html %]?biblionumber=' + [% SEARCH_RESULTS.first.biblionumber | html %] + '&searchid=[% searchid | html %]'; - [% ELSIF (gotoNumber == 'last') %] - window.location = '/cgi-bin/koha/catalogue/[% gotoPage | html %]?biblionumber=' + [% SEARCH_RESULTS.last.biblionumber | html %] + '&searchid=[% searchid | html %]'; - [% END %] - [% END %] - - [% IF LocalCoverImages %] - KOHA.LocalCover.LoadResultsCovers(); - [% END %] - - [% IF ( IntranetCoce && CoceProviders ) %] - KOHA.coce.getURL('[% CoceHost | html %]', '[% CoceProviders | html %]'); - [% END %] - - $("#select_all").on("click",function(e){ - e.preventDefault(); - selectAll(); - }); - - $("#clear_all").on("click",function(e){ - e.preventDefault(); - clearAll(); - }); - - $("#searchresults").on("click",".addtocart",function(e){ - e.preventDefault(); - var selection_id = this.id; - var biblionumber = selection_id.replace("cart",""); - addRecord(biblionumber); - }); - - $("#searchresults").on("click",".cartRemove",function(e){ - e.preventDefault(); - var selection_id = this.id; - var biblionumber = selection_id.replace("cartR",""); - delSingleRecord(biblionumber); - }); - - [% UNLESS Koha.Preference('BrowseResultSelection') %] - resetSearchContext(); - [% END %] - $(".selection").change(function(){ - if ( $(this).is(':checked') == true ) { - addBibToContext( $(this).val() ); - } else { - delBibToContext( $(this).val() ); - } - }); - $("#bookbag_form").ready(function(){ - $("#bookbag_form").unCheckCheckboxes(); - var bibnums = getContextBiblioNumbers(); - if (bibnums) { - for (var i=0; i < bibnums.length; i++) { - var id = ('#bib' + bibnums[i]); - if ($(id)) { - $(id).attr('checked', true); - } - } - } - }); - - }); - - - [% IF ( query_desc ) %] - function highlightOff() { - toHighlight.removeHighlight(); - $(".highlight_toggle").toggle(); - } - function highlightOn() { - var x; - for (x in q_array) { - q_array[x] = q_array[x].toLowerCase(); - var myStopwords = "[% Koha.Preference('NotHighlightedWords') | html %]".toLowerCase().split('|'); - if ( (q_array[x].length > 0) && ($.inArray(q_array[x], myStopwords) == -1) ) { - toHighlight.highlight(q_array[x]); - } - } - $(".highlight_toggle").toggle(); - } - [% END %] - - function selectAll () { - $("#bookbag_form").checkCheckboxes(); - $("#bookbag_form").find("input[type='checkbox'][name='biblionumber']").each(function(){ - $(this).change(); - } ); - return false; - } - function clearAll () { - $("#bookbag_form").unCheckCheckboxes(); - $("#bookbag_form").find("input[type='checkbox'][name='biblionumber']").each(function(){ - $(this).change(); - } ); - return false; - } - function placeHold () { - var checkedItems = $(".selection:checked"); - if ($(checkedItems).size() == 0) { - alert(MSG_NO_ITEM_SELECTED); - return false; - } - var bibs = ""; - var badBibs = false; - $(checkedItems).each(function() { - var bib = $(this).val(); - if ($("#reserve_" + bib).size() == 0) { - alert(MSG_NON_RESERVES_SELECTED); - badBibs = true; - return false; - } - bibs += bib + "/"; - }); - if (badBibs) { - return false; - } - $("#hold_form_biblios").val(bibs); - $("#hold_form").submit(); - return false; - } - - function forgetPatronAndClub(){ - $.removeCookie("holdfor", { path: '/' }); - $.removeCookie("holdforclub", { path: '/' }); - $(".holdforlink").remove(); - $("#placeholdc").html(" "+_("Place hold")+""); - } - - function browse_selection () { - var bibnums = getContextBiblioNumbers(); - if ( bibnums && bibnums.length > 0 ) { - var browser = KOHA.browser('', parseInt('[% biblionumber | html %]', 10)); - browser.create(1, '[% query_cgi | html %]', '[% limit_cgi | html %]','[% sort_cgi | html %]', bibnums, bibnums.length); - window.location = '/cgi-bin/koha/catalogue/detail.pl?biblionumber=' + bibnums[0] + '&searchid='+browser.searchid; - } else { - alert(MSG_NO_ITEM_SELECTED); - } - return false; - } - - function addToList () { - var checkedItems = $(".selection:checked"); - if ($(checkedItems).size() == 0) { - alert(MSG_NO_ITEM_SELECTED); - return false; - } - var bibs = ""; - $(checkedItems).each(function() { - bibs += $(this).val() + "/"; - }); - - var url = "/cgi-bin/koha/virtualshelves/addbybiblionumber.pl?biblionumbers=" + bibs; - window.open(url, 'Add_to_virtualshelf', 'width=500, height=400, toolbar=false, scrollbars=yes'); - return false; - } - - /* this function open a popup to search on z3950 server. */ - function PopupZ3950() { - var strQuery = GetZ3950Terms(); - if(strQuery){ - window.open("/cgi-bin/koha/cataloguing/z3950_search.pl?biblionumber=[% biblionumber | html %]"+strQuery,"z3950search",'width=740,height=450,location=yes,toolbar=no,scrollbars=yes,resize=yes'); - } - } - /* provide Z3950 search points */ - function GetZ3950Terms(){ - var strQuery="&frameworkcode="; - [% FOREACH z3950_search_param IN z3950_search_params %] - strQuery += "&" + "[% z3950_search_param.name |uri %]" + "=" + "[% z3950_search_param.value |uri %]"; - [% END %] - return strQuery; - } - - function holdfor(){ - $("#holdFor").val(""); - $("#holdForClub").val(""); - placeHold(); - } - - function holdForPatron() { - $("#holdFor").val("[% holdfor_cardnumber | html %]"); - placeHold(); - } - function holdForClub() { - $("#holdForClub").val("[% holdforclub | html %]"); - placeHold(); + var new_results_browser = [ + [%- FOREACH result IN SEARCH_RESULTS -%] + [%- result.biblionumber | html -%], + [%- END -%] + ]; + var strQuery="&frameworkcode="; + [%- FOREACH z3950_search_param IN z3950_search_params -%] + strQuery += "&" + "[% z3950_search_param.name |uri %]" + "=" + "[% z3950_search_param.value |uri %]"; + [%- END -%] + + var search_result = { + query_desc: "[% To.json( query_desc ) | html %]", + query_cgi: "[% query_cgi | html %]", + limit_cgi: "[% limit_cgi | html %]", + sort_cgi: "[% sort_cgi | html %]", + sort_by: "[% sort_by | html %]", + gotoPage: "[% gotoPage | html %]", + gotoNumber: "[% gotoNumber | html %]", + searchid: "[% searchid | html %]", + total: "[% total | html %]", + first_result_number: "[% SEARCH_RESULTS.first.result_number | html %]", + first_biblionumber: "[% SEARCH_RESULTS.first.biblionumber | html %]", + last_biblionumber: "[% SEARCH_RESULTS.last.biblionumber | html %]", } [% END %] -- 2.39.5