]> git.koha-community.org Git - koha.git/commit
Bug 37681: Fix XSS in staff interface item URLs on detail page
authorDavid Cook <dcook@prosentient.com.au>
Tue, 20 Aug 2024 00:54:38 +0000 (00:54 +0000)
committerLucas Gass <lucas@bywatersolutions.com>
Mon, 30 Sep 2024 15:30:06 +0000 (15:30 +0000)
commite94a7e34f330082fd485309fc08250aaf3645633
tree4d779086f0e7df054a2ad8e903a71bc3914fbd76
parent2dc9dcf87a388ad118af0326f37893d525a7cbfa
Bug 37681: Fix XSS in staff interface item URLs on detail page

This patch uses Javascript objects and safe sinks to prevent XSS
in the item URLs on the staff interface detail page.

It also makes sure those URLs don't get double-escaped. Yippee!

Test plan:
0. Apply the patch
1. Add/edit an item with the following URL:
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au
2. Add/edit a different item with the following URLs:
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au |
http://prosentient.com.au?q=http%3A%2F%2Fprosentient.com.au
3. Go to the staff interface detail page
4. Notice that the URLs are not double-encoded!
5. Try out a malicious payload (talk to QA/security about this)
6. Confirm that the malicious payload fails to execute the XSS
7. Celebrate!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers/tables/items/catalogue_detail.inc