From 4b727f38f8380d670feab8aea0761df74757fab0 Mon Sep 17 00:00:00 2001 From: David Cook Date: Tue, 20 Aug 2024 00:54:38 +0000 Subject: [PATCH] Bug 37681: Fix XSS in staff interface item URLs on detail page This patch uses Javascript objects and safe sinks to prevent XSS in the item URLs on the staff interface detail page. It also makes sure those URLs don't get double-escaped. Yippee! Test plan: 0. Apply the patch 1. Add/edit an item with the following URL: http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au 2. Add/edit a different item with the following URLs: http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au | http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au 3. Go to the staff interface detail page 4. Notice that the URLs are not double-encoded! 5. Try out a malicious payload (talk to QA/security about this) 6. Confirm that the malicious payload fails to execute the XSS 7. Celebrate! Signed-off-by: Martin Renvoize Signed-off-by: Marcel de Rooy Signed-off-by: Katrin Fischer --- .../tables/items/catalogue_detail.inc | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers/tables/items/catalogue_detail.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers/tables/items/catalogue_detail.inc index 78e6e07680..1eb78f0168 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers/tables/items/catalogue_detail.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers/tables/items/catalogue_detail.inc @@ -640,10 +640,12 @@ let nodes = ''; if ( row.uri.split(' \| ').length > 1 ) { row.uri.split(' \| ').forEach((uri, i) => { - nodes += '%s
'.format(escape_str(uri), escape_str(uri)); + let node = safe_link(uri,uri); + nodes += node.outerHTML + "
"; }); } else { - nodes += '%s
'.format(escape_str(row.uri), escape_str(url_link_text)); + let node = safe_link(row.uri,url_link_text); + nodes += node.outerHTML; } return nodes; } @@ -841,5 +843,18 @@ return items_table; } + function safe_link(uri,link_text) { + let node = document.createElement('a'); + let url_str = '#'; + try { + const safe_url = new URL(uri); + url_str = safe_url.href; + } catch (e) { + //console.error('Invalid URL:', e); + } + node.setAttribute('href',url_str); + node.textContent = link_text; + return node; + } [% END %] -- 2.39.5