From 9c2f9a021ad619a426b395c7e540f7ede70382b1 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 1 Oct 2020 11:22:46 +0200 Subject: [PATCH] Bug 26592: Prevent XSS vulnerabilities when circ/ysearch.pl is used Signed-off-by: Martin Renvoize Signed-off-by: Kyle M Hall Signed-off-by: Jonathan Druart --- .../prog/en/includes/js_includes.inc | 24 +++++++++++++++---- .../prog/en/modules/circ/request-article.tt | 21 ++++++++++++---- .../prog/en/modules/course_reserves/course.tt | 20 ++++++++++++++-- .../prog/en/modules/reserve/request.tt | 21 ++++++++++++---- 4 files changed, 72 insertions(+), 14 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc index 46a5949ccb..2323f83770 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc @@ -101,11 +101,16 @@ // Display card number in parentheses if it exists cardnumber = " (" + item.cardnumber + ") "; } - var itemString = "" + item.surname + ", " + item.firstname + cardnumber + " "; + var itemString = "" + ( item.surname ? item.surname.escapeHtml() : "" ) + ", " + ( item.firstname ? item.firstname.escapeHtml() : "" ) + cardnumber.escapeHtml() + " "; if( item.dateofbirth ) { - itemString += item.dateofbirth + " (" + item.age + " " + _("years") + "), "; + itemString += ( item.dateofbirth ? item.dateofbirth.escapeHtml() : "" ) + + " (" + ( item.age ? item.age.escapeHtml() : "" ) + " " + _("years") + "), "; } - itemString += item.address + " " + item.city + " " + item.zipcode + " " + item.country + ""; + itemString += ( item.address ? item.address.escapeHtml() : "" ) + " " + + ( item.city ? item.city.escapeHtml() : "" ) + " " + + ( item.zipcode ? item.city.escapeHtml() : "" ) + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + ""; return $( "
  • " ) .data( "ui-autocomplete-item", item ) .append( itemString ) @@ -137,7 +142,18 @@ } return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + cardnumber + " " + item.dateofbirth + " " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "" ) + .append( + "" + ( item.surname ? item.surname.escapeHtml() : "" ) + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + cardnumber.escapeHtml() + + " " + + ( item.dateofbirth ? item.dateofbirth.escapeHtml() : "" ) + " " + + ( item.address ? item.address.escapeHtml() : "" ) + " " + + ( item.city ? item.city.escapeHtml() : "" ) + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt index de929cbc2f..c960cf011a 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/request-article.tt @@ -323,10 +323,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + - " (" + item.cardnumber + ") " + item.address + - " " + item.city + " " + item.zipcode + " " + - item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt index 3a4b0abec1..e9d542d417 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/course_reserves/course.tt @@ -169,7 +169,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + " (" + item.cardnumber + ") " + item.address + " " + item.city + " " + item.zipcode + " " + item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; @@ -186,7 +202,7 @@ }); function AddInstructor( name, borrowernumber ) { - div = "
    " + name + " ( " + _("Remove")+ " )
    "; + div = "
    " + ( name ? name.escapeHtml() : "" ) + " ( " + _("Remove")+ " )
    "; $('#instructors').append( div ); $('#find_instructor').val('').focus(); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt index 5d9ac5aefd..95861f6be2 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reserve/request.tt @@ -1320,10 +1320,23 @@ .data( "ui-autocomplete" )._renderItem = function( ul, item ) { return $( "
  • " ) .data( "ui-autocomplete-item", item ) - .append( "" + item.surname + ", " + item.firstname + - " (" + item.cardnumber + ") " + item.address + - " " + item.city + " " + item.zipcode + " " + - item.country + "" ) + .append( + "" + + ( item.surname ? item.surname.escapeHtml() : "" ) + + ", " + + ( item.firstname ? item.firstname.escapeHtml() : "" ) + + " (" + ( item.cardnumber ? item.cardnumber.escapeHtml() : "" ) + ")" + + " " + + "" + + ( item.address ? item.address.escapeHtml() : "" ) + + " " + + ( item.city ? item.city.escapeHtml() : "" ) + + " " + + ( item.zipcode ? item.zipcode.escapeHtml() : "" ) + + " " + + ( item.country ? item.country.escapeHtml() : "" ) + + "" + + "" ) .appendTo( ul ); }; [% END %] -- 2.39.5