From 383e7b8b9e509f813618412bbb99b8f7f87b7373 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:31:26 +0000 Subject: [PATCH] Bug 26102: [19.11] Prevent XSS when To.json is used: admin/preferences.tt Test that preference search term highlighting works correctly. Signed-off-by: Wainui Witika-Park --- koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt index 38ecd63e1c..ce460ab7ab 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt @@ -1,4 +1,5 @@ [% USE raw %] +[% USE To %] [% USE Asset %] [% USE Koha %] [% SET footerjs = 1 %] @@ -200,7 +201,7 @@ }); // This is here because of its dependence on template variables, everything else should go in js/pages/preferences.js - jpw - var to_highlight = "[% searchfield |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + var to_highlight = "[% To.json( searchfield ) | html %]"; var search_jumped = [% IF ( search_jumped ) %]true[% ELSE %]false[% END %]; var MSG_NOTHING_TO_SAVE = _("Nothing to save"); var MSG_SAVING = _("Saving..."); -- 2.39.5