From 193ac375aa5e9f30b4a3421cdca54856ebce3ea8 Mon Sep 17 00:00:00 2001
From: Julian Maurice <julian.maurice@biblibre.com>
Date: Thu, 1 Feb 2024 09:15:23 +0100
Subject: [PATCH] Bug 35960: Use .val() instead of string concat to prevent
 potential XSS
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
   fragment. It should be URI-encoded.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5409e17fb5abe0130f3cb2cd6c3d2a7707a5b251)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
index e87cb438c4..9ef3ebe7e0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
@@ -219,7 +219,9 @@
     <script>
         $(document).ready( function() {
             if ( document.location.hash ) {
-                $( '#loginform' ).append( '<input name="auth_forwarded_hash" type="hidden" value="' + document.location.hash + '"/>' );
+                const input = $('<input name="auth_forwarded_hash" type="hidden">')
+                input.val(document.location.hash);
+                $( '#loginform' ).append( input );
             }
             // Clear last borrowers, rememberd sql reports, carts, etc.
             logOut();
-- 
2.39.5