From 155aa985a83f47c1c565002303cd4b3eb8b00483 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 17:26:18 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: unimarc_field_4XX.tt To test, edit a MARC framework to link a subfield to the unimarc_field_4XX.tt. The process of triggering the plugin and selecting a search result from the plugin popup should work correctly. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit dbd13593538b8dbba9dfe9ff200b1d472ec0595b) Signed-off-by: Victor Grousset/tuxayo (cherry picked from commit f424ae7dd89a1dfe1b2ab5a054a4388fabe03c37) Signed-off-by: Wainui Witika-Park --- .../value_builder/unimarc_field_4XX.tt | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/value_builder/unimarc_field_4XX.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/value_builder/unimarc_field_4XX.tt index 2268a0953c..8add060a74 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/value_builder/unimarc_field_4XX.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/value_builder/unimarc_field_4XX.tt @@ -167,55 +167,55 @@ var subfield = subfields[i+1]; if(code.value == '9'){ - subfield.value = "[% subfield_value_9 |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_9 ) | html %]"; } if(code.value == '0'){ - subfield.value = "[% subfield_value_0 |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_0 ) | html %]"; } if(code.value == 'a'){ - subfield.value = "[% subfield_value_a |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_a ) | html %]"; } if(code.value == 'c'){ - subfield.value = "[% subfield_value_c |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_c ) | html %]"; } if(code.value == 'd'){ - subfield.value = "[% subfield_value_d |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_d ) | html %]"; } if(code.value == 'e'){ - subfield.value = "[% subfield_value_e |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_e ) | html %]"; } if(code.value == 'h'){ - subfield.value = "[% subfield_value_h |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_h ) | html %]"; } if(code.value == 'i'){ - subfield.value = "[% subfield_value_i |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_i ) | html %]"; } if(code.value == 'l'){ - subfield.value = "[% subfield_value_l |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_l ) | html %]"; } if(code.value == 'n'){ - subfield.value = "[% subfield_value_n |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_n ) | html %]"; } if(code.value == 'o'){ - subfield.value = "[% subfield_value_o |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_o ) | html %]"; } if(code.value == 'p'){ - subfield.value = "[% subfield_value_p |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_p ) | html %]"; } if(code.value == 't'){ - subfield.value = "[% subfield_value_t |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_t ) | html %]"; } if(code.value == 'u'){ - subfield.value = "[% subfield_value_u |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_u ) | html %]"; } if(code.value == 'v'){ - subfield.value = "[% subfield_value_v |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_v ) | html %]"; } if(code.value == 'x'){ - subfield.value = "[% subfield_value_x |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_x ) | html %]"; } if(code.value == 'y'){ - subfield.value = "[% subfield_value_y |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + subfield.value = "[% To.json( subfield_value_y ) | html %]"; } } } -- 2.39.5