From afd014710f5ded1bc0c42656cccc711bc6828502 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 10 Jan 2024 13:56:15 +0100 Subject: [PATCH] Bug 35329: Prevent XSS Signed-off-by: Owen Leonard Signed-off-by: Martin Renvoize Signed-off-by: Jonathan Druart --- koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc | 4 ++-- koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt | 2 +- .../intranet-tmpl/prog/en/modules/acqui/neworderempty.tt | 2 +- koha-tmpl/intranet-tmpl/prog/en/modules/admin/aqbudgets.tt | 2 +- .../intranet-tmpl/prog/en/modules/suggestion/suggestion.tt | 6 +++--- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc index 85980b6dc3..170e7e89ee 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc @@ -881,9 +881,9 @@ parent_block.find(".info").hide(); parent_block.find(".error").hide(); if ( add_user(borrowernumber, borrowername) < 0 ) { - parent_block.find(".error").html(_("Patron '%s' is already in the list.").format(borrowername)).show(); + parent_block.find(".error").html(_("Patron '%s' is already in the list.").format(borrowername.escapeHtml())).show(); } else { - parent_block.find(".info").html(_("Patron '%s' added.").format(borrowername)).show(); + parent_block.find(".info").html(_("Patron '%s' added.").format(borrowername.escapeHtml())).show(); } } function modal_select_user(borrowernumber, data) { diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt index 8911b85957..f0ce19d607 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt @@ -1189,7 +1189,7 @@ if (ids.indexOf(borrowernumber.toString()) < 0) { ids.push(borrowernumber); $("#users_ids").val(ids.join(':')); - var li = '
  • '+borrowername + var li = '
  • '+borrowername.escapeHtml() + ' ' + _("Delete user") + '
  • '; $("#users_names").prepend(li); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/neworderempty.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/neworderempty.tt index e9b62396f1..790ea40189 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/neworderempty.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/neworderempty.tt @@ -209,7 +209,7 @@ if (ids.indexOf(borrowernumber.toString()) < 0) { ids.push(borrowernumber); $("#users_ids").val(ids.join(':')); - var li = '
  • '+borrowername + var li = '
  • '+borrowername.escapeHtml() + ' [' + _("Delete user") + ']
  • '; $("#users_names").append(li); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/aqbudgets.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/aqbudgets.tt index f2fd4d3c67..c37b7ed4f9 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/aqbudgets.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/aqbudgets.tt @@ -564,7 +564,7 @@ if(borrowernumber && ids.indexOf(borrowernumber.toString()) == -1) { var li = '
  • ' + '' + borrowername + ' ' + + borrowernumber + '">' + borrowername.escapeHtml() + ' ' + ' • '+_("Remove")+' ' + '
  • '; $("#budget_users").prepend(li); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt index 3a05871832..96f5d6ad20 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt @@ -1282,7 +1282,7 @@ if (borrowernumber) { var managerlink = '' - + borrowername + ''; + + borrowername.escapeHtml() + ''; managedby_name.html(managerlink); managedby.val(borrowernumber); } @@ -1313,9 +1313,9 @@ success: function (data) { var suggested = ''; suggested += ''; - suggested += data.surname + ', ' + data.firstname + ' (' + data.cardnumber + ')'; + suggested += data.surname.escapeHtml() + ', ' + data.firstname.escapeHtml() + ' (' + data.cardnumber.escapeHtml() + ')'; suggested += ' '; - suggested += data._strings.library_id.str + ' (' + data._strings.category_id.str + ')'; + suggested += data._strings.library_id.str.escapeHtml() + ' (' + data._strings.category_id.str.escapeHtml() + ')'; $("#tdsuggestedby").html(suggested); }, -- 2.39.5