]> git.koha-community.org Git - koha.git/commit
Bug 34023: Prevent HTML injection in "back to results" link from search page
authorMichał Górny <mgorny@gentoo.org>
Fri, 16 Jun 2023 14:16:37 +0000 (16:16 +0200)
committerMatt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Fri, 28 Jul 2023 11:15:00 +0000 (11:15 +0000)
commitf702922acb29d69f8ed9831709cc7330773f6dd1
tree4d249024a1657bdbbe7ea04d46f6aa8f24796f9c
parenta579f72ec83761bb4a13e83f884808cd1ed91e20
Bug 34023: Prevent HTML injection in "back to results" link from search page

It is possible inject raw HTML into the "Back to search results" link by leading the user to a search with specially crafted URL.

For example, using the demo instance:

1. Visit https://koha.adminkuhn.ch/cgi-bin/koha/opac-search.pl?idx=&q=test&weight_search=1&%22%3Etest%3Ca%20foo=%22

2. Refresh the page (for some reason, "back to results" doesn't appear unless I do that at least once).

3. Click any result.

Note that the result page now contains:

  <a href="opac-search.pl?idx=&amp;q=test&amp;weight_search=1&amp;">test<a foo=%22" title="...

i.e. `">test<a ...` was successfully injected into the HTML.

I'm attaching a quick patch I've used to patch up our instance.  It just indiscriminately URI-escapes all parameter keys.  I didn't decode them back since as far as I understand all valid keys do not contain special characters.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e86e81a2480ec5486660bac241c694210eaefa11)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit cbc2b0e8dafe7053785f98247df253f014cd632c)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
opac/opac-search.pl