From 368068c71597eaf61e4f9cc154002ea92dfd16c3 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Tue, 3 Dec 2013 11:34:48 +1300 Subject: [PATCH] Bug 11322: fix XSS bug in purchase suggestions pages To test 1/ Switch on purchase suggestions 2/ On the public interface (OPAC) add a suggestion, put html in every field 3/ In the staff interface go to the suggestions page /cgi-bin/koha/suggestion/suggestion.pl 4/ Notice the html is rendered 5/ Click on a suggestion, notice the html is rendered on the show page also 6/ Apply the patch, check these two pages again, html should now be escaped Signed-off-by: David Cook Works as described. Signed-off-by: Katrin Fischer Passes all tests, thx Chris! Signed-off-by: Galen Charlton --- .../prog/en/modules/suggestion/suggestion.tt | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt index e590142a7d..7c6c98df09 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt @@ -187,12 +187,12 @@ h4.local_collapse a { font-size : 80%; text-decoration: none; } fieldset.brief o Bibliographic information
  1. Title:[% title |html %]
  2. -
  3. Author:[% author %]
  4. -
  5. Copyright date:[% copyrightdate %]
  6. -
  7. ISBN or ISSN or other standard number:[% isbn %]
  8. -
  9. Publisher:[% publishercode %]
  10. -
  11. Publication place:[% place %]
  12. -
  13. Collection title:[% collectiontitle %]
  14. +
  15. Author:[% author |html %]
  16. +
  17. Copyright date:[% copyrightdate |html %]
  18. +
  19. ISBN or ISSN or other standard number:[% isbn |html %]
  20. +
  21. Publisher:[% publishercode |html %]
  22. +
  23. Publication place:[% place |html %]
  24. +
  25. Collection title:[% collectiontitle |html %]
  26. Document type: [% FOREACH itemtypeloo IN itemtypeloop %] [% IF ( itemtypeloo.selected ) %][% itemtypeloo.description %][% END %] @@ -205,7 +205,7 @@ h4.local_collapse a { font-size : 80%; text-decoration: none; } fieldset.brief o [% END %]
  27. [% END %] -
  28. Notes:[% note %]
  29. +
  30. Notes:[% note |html %]
Suggestion management @@ -490,9 +490,9 @@ h4.local_collapse a { font-size : 80%; text-decoration: none; } fieldset.brief o [% suggestions_loo.title |html %][% IF ( suggestions_loo.author ) %], by [% suggestions_loo.author %][% END %] [edit]
- [% IF ( suggestions_loo.copyrightdate ) %]© [% suggestions_loo.copyrightdate %] [% END %] - [% IF ( suggestions_loo.volumedesc ) %]; Volume:[% suggestions_loo.volumedesc %] [% END %] - [% IF ( suggestions_loo.isbn ) %]; ISBN:[% suggestions_loo.isbn %] [% END %][% IF ( suggestions_loo.publishercode ) %]; Published by [% suggestions_loo.publishercode %] [% END %][% IF ( suggestions_loo.publicationyear ) %] in [% suggestions_loo.publicationyear %] [% END %][% IF ( suggestions_loo.place ) %] in [% suggestions_loo.place %] [% END %][% IF ( suggestions_loo.collectiontitle ) %]; [% suggestions_loo.collectiontitle %] [% END %][% IF ( suggestions_loo.itemtype ) %]; [% suggestions_loo.itemtype %] [% END %]
[% IF ( suggestions_loo.note ) %][% suggestions_loo.note %][% END %] + [% IF ( suggestions_loo.copyrightdate ) %]© [% suggestions_loo.copyrightdate |html %] [% END %] + [% IF ( suggestions_loo.volumedesc ) %]; Volume:[% suggestions_loo.volumedesc |html %] [% END %] + [% IF ( suggestions_loo.isbn ) %]; ISBN:[% suggestions_loo.isbn |html %] [% END %][% IF ( suggestions_loo.publishercode ) %]; Published by [% suggestions_loo.publishercode |html %] [% END %][% IF ( suggestions_loo.publicationyear ) %] in [% suggestions_loo.publicationyear |html %] [% END %][% IF ( suggestions_loo.place ) %] in [% suggestions_loo.place |html %] [% END %][% IF ( suggestions_loo.collectiontitle ) %]; [% suggestions_loo.collectiontitle |html %] [% END %][% IF ( suggestions_loo.itemtype ) %]; [% suggestions_loo.itemtype |html %] [% END %]
[% IF ( suggestions_loo.note ) %][% suggestions_loo.note |html%][% END %] [% IF ( suggestions_loo.emailsuggestedby ) %][% END %][% suggestions_loo.surnamesuggestedby %][% IF ( suggestions_loo.firstnamesuggestedby ) %], [% suggestions_loo.firstnamesuggestedby %][% END %] [% IF ( suggestions_loo.emailsuggestedby ) %][% END %] -- 2.39.5