From 3c3237ca87ea90b11a7391cbe0ed08edb70aef05 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:57:48 +0000 Subject: [PATCH] Bug 26102: [19.11] Prevent XSS when To.json is used: catalogue/results.tt To test, perform a search in the catalogue and verify that search term highlighting works correctly. Signed-off-by: Wainui Witika-Park --- koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt index 68e5388e31..5f42a03de6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt @@ -1,5 +1,6 @@ [% USE raw %] [% USE Asset %] +[% USE To %] [% USE Koha %] [% USE Biblio %] [% USE KohaDates %] @@ -772,7 +773,7 @@ [% IF ( query_desc ) %] toHighlight = $("p,span.results_summary,a.title"); - var query_desc = "[% query_desc |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]"; + var query_desc = "[% To.json( query_desc ) | html %]", q_array = query_desc.split(" "); // ensure that we don't have "" at the end of the array, which can // break the highlighter -- 2.39.5