From 777a5f8582a470ce039ac905a51619a1faed5be7 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 28 Aug 2024 12:18:06 +0200
Subject: [PATCH] Bug 37720: Prevent XSS in label creator

Because labels/label-edit-batch.pl fills a DataTable with things that include
a link created by C4/Creators/Lib.pm, it outputs them with the $raw filter,
so HTML in author/title/callnumber is executed in the label batch editor.
While we wait for a fix that moves the link creation into the template and
out of C4, encoding HTML in Lib.pm for the bits going into the link, and
switching from $raw to the html filter for the rest of the things, will at
least get rid of the XSS.

Test plan:
 1. Without this patch, but with the patch from bug 37654 so you don't get
    alert()s in batch import, download attachment 170675 [details]
 2. Cataloging - Stage records for import - browse to the downloaded file -
    Upload file - when the upload finishes Stage for import - when staging
    finishes View batch (get alert()s if you didn't apply bug 37654) - Import
    this batch into the catalog
 3. Once the import finishes, Cataloging - Manage staged records
 4. In the row for your import, in the # Items column, click "(Create label
    batch)"
 5. In the "Label batch #n created" message, click the link to the batch #
 6. Because the batch includes a call number with an open <script>, you'll
    get XSS alert()s and then one about something going wrong while loading
    the table, with only one of the two records showing in the batch editor
 7. Apply patch, restart_all
 8. Cataloging - Label creator - Manage Label batches
 9. In the row for your batch, click Edit
10. You will see both labels, with their attempts at XSS visible as text
    rather than being interpreted as HTML

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 C4/Creators/Lib.pm                                           | 3 +--
 .../intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt | 5 ++++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/C4/Creators/Lib.pm b/C4/Creators/Lib.pm
index d4831ab479..169ba008de 100644
--- a/C4/Creators/Lib.pm
+++ b/C4/Creators/Lib.pm
@@ -345,8 +345,7 @@ sub get_label_summary {
         $record->{'title'} =~ s/\W*$//;  # strip off ugly trailing chars
         # FIXME contructing staff interface URLs should be done *much* higher up the stack - for the most part, C4 module code
         # should not know that it's part of a web app
-        $record->{'title'} = '<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=' . $record->{'biblionumber'} . '"> ' . $record->{'title'} . '</a>';
-        $label_summary->{'_summary'} = $record->{'title'} . " | " . ($record->{'author'} ? $record->{'author'} : 'N/A');
+        $label_summary->{'_summary'} = { title => $record->{title}, author => $record->{author}, biblionumber => $record->{biblionumber} };
         $label_summary->{'_item_type'} = C4::Context->preference("item-level_itypes") ? $record->{'itype'} : $record->{'itemtype'};
         $label_summary->{'_barcode'} = $record->{'barcode'};
         $label_summary->{'_item_number'} = $item->{'item_number'};
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt
index 835858514d..33f170b807 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt
@@ -172,8 +172,11 @@
                                                                     <td>
                                                                         [% IF ( text_field.field_name == '_item_type_tbl' ) %]
                                                                             [% ItemTypes.GetDescription( text_field.field_value ) | html %]
+                                                                        [% ELSIF ( text_field.field_name == '_summary_tbl' ) %]
+                                                                            <a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% text_field.field_value.biblionumber | uri %]">[% text_field.field_value.title | html %]</a>
+                                                                            [% IF text_field.field_value.author %]| [% text_field.field_value.author | html %][% END %]
                                                                         [% ELSE %]
-                                                                            [% text_field.field_value | $raw %]
+                                                                            [% text_field.field_value | html %]
                                                                         [% END %]
                                                                     </td>
                                                                 [% END %]
-- 
2.39.5