From 4e32b761986f5de28df4f1125b5d16c6c2f24306 Mon Sep 17 00:00:00 2001 From: David Cook Date: Wed, 13 Sep 2023 01:33:43 +0000 Subject: [PATCH] Bug 34761: Prevent XSS for searches and saved search filters tags are interpreted in JSON strings as HTML, which can lead to XSS attacks. This patch puts HTML escaped JSON in the value of a hidden HTML element. The Javascript then takes the value as a string, parses it as JSON, and is able to use it to save search filters without triggering a XSS attack. This patch also adds DataTable's built-in HTML escaping for the query and limits on the admin UI for the search filters. Test plan: 0. Apply patch 1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters 2. Enable the system preference 3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 4. Click "Save search as filter" 5. Checkbox "Show in staff interface?" 6. Type "E-TEST" into box and click 'Save' 7. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 8. Click "E-TEST" under "Custom search filters" 9. Note that you see search results 10. Go to http://localhost:8081/cgi-bin/koha/admin/search_filters.pl 11. Note that for "E-TEST" you see a "Query" like {"operators":[],"operands":["e"],"indexes":[]} 12. Note that for "E-TEST" you see a "Limits" like {"limits":[]} Signed-off-by: Lucas Gass Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi --- .../intranet-tmpl/prog/en/modules/admin/search_filters.tt | 6 ++++-- .../intranet-tmpl/prog/en/modules/catalogue/results.tt | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt index 0777c168cc..1ee1b51343 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt @@ -119,12 +119,14 @@ { "data": "query", "searchable": true, - "orderable": true + "orderable": true, + "render": jQuery.fn.DataTable.render.text() }, { "data": "limits", "searchable": true, - "orderable": true + "orderable": true, + "render": jQuery.fn.DataTable.render.text() }, { "data": "opac", diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt index 7e7eeaa657..16938a6f6c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt @@ -797,6 +797,8 @@ + + [% MACRO jsinclude BLOCK %] [% Asset.js("js/browser.js") | $raw %] [% Asset.js("lib/hc-sticky.js") | $raw %] @@ -837,8 +839,8 @@ query_desc: "[% To.json( query_desc ) | html %]", query_cgi: "[% query_cgi | html %]", limit_cgi: "[% limit_cgi | html %]", - query_json: [% query_json | $raw %], - limit_json: [% limit_json | $raw %], + query_json: JSON.parse($('#query_json').val()), + limit_json: JSON.parse($('#limit_json').val()), sort_by: "[% sort_by | html %]", gotoPage: "[% gotoPage | html %]", gotoNumber: "[% gotoNumber | html %]", -- 2.39.5