From 90f3b84def924dcc76719c01d75aa09241c92f8e Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Tue, 3 Dec 2013 11:46:24 +1300 Subject: [PATCH] Bug 11322: fix XSS bug in purchase suggestions - OPAC 1/ Add a suggestion in the opac, with lots of html 2/ View that suggestion in the OPAC, note the html is rendering 3/ Apply the patch 4/ Test again, in prog and bootstrap, no more rendered html Signed-off-by: David Cook Works as described. Signed-off-by: Katrin Fischer Signed-off-by: Galen Charlton --- .../bootstrap/en/modules/opac-suggestions.tt | 12 ++++++------ .../opac-tmpl/prog/en/modules/opac-suggestions.tt | 14 +++++++------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt index 0d87effb6e..bb7c1eabf0 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt @@ -164,18 +164,18 @@ [% END %]

[% suggestions_loo.title |html %]

-

[% IF ( suggestions_loo.author ) %][% suggestions_loo.author %],[% END %] - [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate %],[% END %] - [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode %][% END %] - [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place %])[% END %] - [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle %][% END %] +

[% IF ( suggestions_loo.author ) %][% suggestions_loo.author |html %],[% END %] + [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate |html %],[% END %] + [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode |html %][% END %] + [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place |html %])[% END %] + [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle |html %][% END %] [% IF ( suggestions_loo.itemtype ) %] - [% suggestions_loo.itemtype %][% END %]

[% IF ( suggestions_loo.note ) %] Note: - [% suggestions_loo.note %] + [% suggestions_loo.note |html %] [% END %] [% IF Koha.Preference( 'OPACViewOthersSuggestions' ) == 1 %] diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt index 0fcd5e2404..631325999c 100644 --- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt +++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt @@ -189,16 +189,16 @@ [% END %]

[% suggestions_loo.title |html %]

-

[% IF ( suggestions_loo.author ) %][% suggestions_loo.author %],[% END %] - [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate %],[% END %] - [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode %][% END %] - [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place %])[% END %] - [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle %][% END %] +

[% IF ( suggestions_loo.author ) %][% suggestions_loo.author |html %],[% END %] + [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate |html %],[% END %] + [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode |html %][% END %] + [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place |html %])[% END %] + [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle |html%][% END %] [% IF ( suggestions_loo.itemtype ) %] - [% suggestions_loo.itemtype %][% END %]

- [% suggestions_loo.note %] + [% suggestions_loo.note |html %] [% IF ( OPACViewOthersSuggestions ) %] [% IF ( suggestions_loo.branchcodesuggestedby ) %][% suggestions_loo.branchcodesuggestedby %][% ELSE %] [% END %] @@ -215,7 +215,7 @@ [% ELSIF ( suggestions_loo.AVAILABLE ) %]Available in the library [% ELSE %] [% KohaAuthorisedValues.GetByCode( 'SUGGEST_STATUS', suggestions_loo.STATUS, 1 ) %] [% END %] - [% IF ( suggestions_loo.reason ) %]([% suggestions_loo.reason %])[% END %] + [% IF ( suggestions_loo.reason ) %]([% suggestions_loo.reason |html %])[% END %] [% END %] -- 2.39.5