From f702922acb29d69f8ed9831709cc7330773f6dd1 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Micha=C5=82=20G=C3=B3rny?= Date: Fri, 16 Jun 2023 16:16:37 +0200 Subject: [PATCH] Bug 34023: Prevent HTML injection in "back to results" link from search page It is possible inject raw HTML into the "Back to search results" link by leading the user to a search with specially crafted URL. For example, using the demo instance: 1. Visit https://koha.adminkuhn.ch/cgi-bin/koha/opac-search.pl?idx=&q=test&weight_search=1&%22%3Etest%3Ca%20foo=%22 2. Refresh the page (for some reason, "back to results" doesn't appear unless I do that at least once). 3. Click any result. Note that the result page now contains: testtest Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi (cherry picked from commit e86e81a2480ec5486660bac241c694210eaefa11) Signed-off-by: Fridolin Somers (cherry picked from commit cbc2b0e8dafe7053785f98247df253f014cd632c) Signed-off-by: Matt Blenkinsop --- opac/opac-search.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opac/opac-search.pl b/opac/opac-search.pl index 958f4ca623..96851496dc 100755 --- a/opac/opac-search.pl +++ b/opac/opac-search.pl @@ -367,7 +367,7 @@ for (keys %$params) { my @pasarParam = $cgi->multi_param($_); for my $paramValue(@pasarParam) { $pasarParams .= '&' if ($j > 0); - $pasarParams .= $_ . '=' . uri_escape_utf8($paramValue); + $pasarParams .= uri_escape_utf8($_) . '=' . uri_escape_utf8($paramValue); $j++; } } -- 2.39.2