Bug 37656: XSS in Advanced editor from Z39.50 search results
The Advanced editor inserts data from Z39.50 results into the search results
page without escaping HTML. Whether it's German records with "<<A>> Title"
or someone with a compromised catalog or a book with the title "<em> for
emphasis" it shouldn't.
Test plan:
1. Not a dependency, but you'll avoid getting even more alerts while batch
importing by starting with the patch from bug 37654
2. Without this patch applied, download attachment 170421
3. Administration - set the preference EnableAdvancedCatalogingEditor to
Enable
4. Cataloging - Stage records for import - browse to the downloaded file -
Upload file - Stage for import
5. Once the background job finishes, View batch (getting alerts if you
didn't apply the patch from bug 37654) - Import this batch into the
catalog
6. When the import finishes, Search the catalog for script, on the imported
record Edit record (if you wind up in the basic editor, Settings - Switch
to Advanced editor)
7. In the left sidebar below the search inputs, click Advanced ยป, check
the checkbox for Local catalog and uncheck any others, then search for
the Title script
8. You'll get five alerts, and the word "edition" displayed in huge text
9. Close the search popup, apply patch, shift+reload the advanced editor
page to clear your cache
10. Repeat step 7, but this time you won't get any alerts, and you'll see
the title and the other <script> inclusions.
Sponsored-by: Chetco Community Public Library
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
projects / koha.git / commit