git.koha-community.org Git - koha.git/commit

author	David Cook <dcook@prosentient.com.au>
	Tue, 20 Aug 2024 00:54:38 +0000 (00:54 +0000)
committer	Katrin Fischer <katrin.fischer@bsz-bw.de>
	Fri, 18 Oct 2024 10:07:51 +0000 (12:07 +0200)
commit	4b727f38f8380d670feab8aea0761df74757fab0
tree	c0f74f8ed5dcdd184fa4317789cdceb66460158c	tree \| snapshot
parent	3972f5460a4c8b46024242f9cfe7f29510db663f	commit \| diff

Bug 37681: Fix XSS in staff interface item URLs on detail page

This patch uses Javascript objects and safe sinks to prevent XSS
in the item URLs on the staff interface detail page.

It also makes sure those URLs don't get double-escaped. Yippee!

Test plan:
0. Apply the patch
1. Add/edit an item with the following URL:
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au
2. Add/edit a different item with the following URLs:
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au |
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au
3. Go to the staff interface detail page
4. Notice that the URLs are not double-encoded!
5. Try out a malicious payload (talk to QA/security about this)
6. Confirm that the malicious payload fails to execute the XSS
7. Celebrate!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>