From f806ae6277e95048851b32ecc70772e1793a5d43 Mon Sep 17 00:00:00 2001 From: Nicolas Legrand Date: Thu, 5 Nov 2020 14:52:02 +0100 Subject: [PATCH] Bug 24412: (follow-up) prevent js injection MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Some js variables are not properly escaped and can be executed if containing javascript. 1. have some waiting reserve attached to a desk 2. change this desk name to : 3. go to user's checkout page (circulation.pl) and click on the Hold(s) tab 4. you should see some popup with a ❤ in it. 5. apply patch and refresh page 6. now you should see the desk name printed properly in the page: Signed-off-by: Jonathan Druart --- koha-tmpl/intranet-tmpl/prog/js/holds.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/js/holds.js b/koha-tmpl/intranet-tmpl/prog/js/holds.js index be94430d88..29a048914a 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/holds.js +++ b/koha-tmpl/intranet-tmpl/prog/js/holds.js @@ -162,13 +162,13 @@ $(document).ready(function() { if ( oObj.waiting_here ) { data += __("Item is waiting here"); if (oObj.desk_name) { - data += ", " + __("at %s").format(oObj.desk_name); + data += ", " + __("at %s").format(oObj.desk_name.escapeHtml()); } } else { data += __("Item is waiting"); data += " " + __("at %s").format(oObj.waiting_at); if (oObj.desk_name) { - data += ", " + __("at %s").format(oObj.desk_name); + data += ", " + __("at %s").format(oObj.desk_name.escapeHtml()); } } -- 2.39.5