From 863d8fed15411b03adfe2105fc7d4b2321fea0b9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
Date: Fri, 16 Jun 2023 16:16:37 +0200
Subject: [PATCH] Bug 34023: Prevent HTML injection in "back to results" link
 from search page

It is possible inject raw HTML into the "Back to search results" link by leading the user to a search with specially crafted URL.

For example, using the demo instance:

1. Visit https://koha.adminkuhn.ch/cgi-bin/koha/opac-search.pl?idx=&q=test&weight_search=1&%22%3Etest%3Ca%20foo=%22

2. Refresh the page (for some reason, "back to results" doesn't appear unless I do that at least once).

3. Click any result.

Note that the result page now contains:

  <a href="opac-search.pl?idx=&amp;q=test&amp;weight_search=1&amp;">test<a foo=%22" title="...

i.e. `">test<a ...` was successfully injected into the HTML.

I'm attaching a quick patch I've used to patch up our instance.  It just indiscriminately URI-escapes all parameter keys.  I didn't decode them back since as far as I understand all valid keys do not contain special characters.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 opac/opac-search.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/opac/opac-search.pl b/opac/opac-search.pl
index ffa0478776..b8348f88fb 100755
--- a/opac/opac-search.pl
+++ b/opac/opac-search.pl
@@ -369,7 +369,7 @@ for (keys %$params) {
     my @pasarParam = $cgi->multi_param($_);
     for my $paramValue(@pasarParam) {
         $pasarParams .= '&amp;' if ($j > 0);
-        $pasarParams .= $_ . '=' . uri_escape_utf8($paramValue);
+        $pasarParams .= uri_escape_utf8($_) . '=' . uri_escape_utf8($paramValue);
         $j++;
     }
 }
-- 
2.20.1