]> git.koha-community.org Git - koha.git/commit
Bug 34761: Prevent XSS for searches and saved search filters
authorDavid Cook <dcook@prosentient.com.au>
Wed, 13 Sep 2023 01:33:43 +0000 (01:33 +0000)
committerTomas Cohen Arazi <tomascohen@theke.io>
Mon, 25 Sep 2023 21:18:39 +0000 (18:18 -0300)
commit4e32b761986f5de28df4f1125b5d16c6c2f24306
tree86986ab3018ecaa063119880e6c279e4ced73f29
parentdcd698a4b4ed7f3a714ef35fe83c007fce9d52ae
Bug 34761: Prevent XSS for searches and saved search filters

</script> tags are interpreted in JSON strings as HTML, which can
lead to XSS attacks.

This patch puts HTML escaped JSON in the value of a hidden HTML element.
The Javascript then takes the value as a string, parses it as JSON,
and is able to use it to save search filters without triggering a
XSS attack.

This patch also adds DataTable's built-in HTML escaping for the query
and limits on the admin UI for the search filters.

Test plan:
0. Apply patch
1. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters
2. Enable the system preference
3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
4. Click "Save search as filter"
5. Checkbox "Show in staff interface?"
6. Type "E-TEST" into box and click 'Save'
7. Go to
http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
8. Click "E-TEST" under "Custom search filters"
9. Note that you see search results
10. Go to
http://localhost:8081/cgi-bin/koha/admin/search_filters.pl
11. Note that for "E-TEST" you see a "Query" like
{"operators":[],"operands":["e"],"indexes":[]}
12. Note that for "E-TEST" you see a "Limits" like
{"limits":[]}

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt
koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt