From 25856135c6e19fc559c33b5166348d1a053f9b76 Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Thu, 15 Aug 2024 21:22:12 -0700 Subject: [PATCH] Bug 37656: XSS in Advanced editor from Z39.50 search results MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The Advanced editor inserts data from Z39.50 results into the search results page without escaping HTML. Whether it's German records with "<> Title" or someone with a compromised catalog or a book with the title " for emphasis" it shouldn't. Test plan: 1. Not a dependency, but you'll avoid getting even more alerts while batch importing by starting with the patch from bug 37654 2. Without this patch applied, download attachment 170421 3. Administration - set the preference EnableAdvancedCatalogingEditor to Enable 4. Cataloging - Stage records for import - browse to the downloaded file - Upload file - Stage for import 5. Once the background job finishes, View batch (getting alerts if you didn't apply the patch from bug 37654) - Import this batch into the catalog 6. When the import finishes, Search the catalog for script, on the imported record Edit record (if you wind up in the basic editor, Settings - Switch to Advanced editor) 7. In the left sidebar below the search inputs, click Advanced », check the checkbox for Local catalog and uncheck any others, then search for the Title script 8. You'll get five alerts, and the word "edition" displayed in huge text 9. Close the search popup, apply patch, shift+reload the advanced editor page to clear your cache 10. Repeat step 7, but this time you won't get any alerts, and you'll see the title and the other