From 8401cd292c33cd461770c42b294fa94d280dc745 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:41:13 +0000 Subject: [PATCH] Bug 26102: [19.11] Prevent XSS when To.json is used: authorities/blinddetail-biblio-search.tt Test the process of searching for and selecting an authority record for use in the basic MARC editor. Signed-off-by: Wainui Witika-Park --- .../authorities/blinddetail-biblio-search.tt | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt index 6822225ea9..6e360fc550 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt @@ -1,3 +1,4 @@ +[% USE To %] [% SET footerjs = 1 %] [% INCLUDE 'doc-head-open.inc' %] Koha › Authority details @@ -30,12 +31,12 @@ var new_line = ""; [% ELSE %] var new_line = " - [%- FOREACH SUBFIELD_LOO IN SUBFIELD_LOOP -%]‡ - [%- SUBFIELD_LOO.marc_subfield |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r ') | html -%] - [%- FOREACH marc_value IN SUBFIELD_LOO.marc_values -%] - [%- marc_value |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html -%] - [%- END -%] - [%- END -%]‡9[% authid | html %]"; + [%- FOREACH SUBFIELD_LOO IN SUBFIELD_LOOP -%]‡ + [%- To.json( SUBFIELD_LOO.marc_subfield ) | html -%] + [%- FOREACH marc_value IN SUBFIELD_LOO.marc_values -%] + [%- To.json( marc_value ) | html -%] + [%- END -%] + [%- END -%]‡9[% authid | html %]"; [% END %] RancorReplaceField( new_line, "[% indicator1 | html %]", "[% indicator2 | html %]" ); [% ELSE %] -- 2.39.5