From 866d10d416fd23129895c2e9282489de6b9cebff Mon Sep 17 00:00:00 2001
From: Kyle Hall <kyle@bywatersolutions.com>
Date: Wed, 15 Jun 2022 12:06:55 -0400
Subject: [PATCH] Bug 30969: Cross site scripting (XSS) attack in OPAC
 authority search ( opac-authorities-home.pl )

There appears to be a cross site scripting attack vulnerability in opac-authorities-home.pl, but may be accessible from any page using C4::Output::pagination_bar.

https://MYKOHA.LOCAL/cgi-bin/koha/opac-authorities-home.pl?and_or=and%27%22()%26%25%3Csad%3E%3CScRiPt%20%3Ealert(document.domain)%3C/ScRiPt%3E&authtypecode=CORPO_NAME&excluding=1&marclist=all&op=do_search&operator=contains&orderby=HeadingAsc&type=opac&value=1

Test Plan:
1) Use the URL above to show the XSS vulnerability exists
2) Apply this patch
3) Restart all the things!
4) Reload the page, no XSS vulnerability!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 C4/Output.pm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/C4/Output.pm b/C4/Output.pm
index e36ec30bdc..42c4011ca0 100644
--- a/C4/Output.pm
+++ b/C4/Output.pm
@@ -27,8 +27,9 @@ package C4::Output;
 
 use Modern::Perl;
 
-use URI::Escape;
+use HTML::Entities;
 use Scalar::Util qw( looks_like_number );
+use URI::Escape;
 
 use C4::Auth qw( get_template_and_user );
 use C4::Context;
@@ -83,6 +84,8 @@ sub pagination_bar {
     my $startfrom_name = (@_) ? shift : 'page';
     my $additional_parameters = shift || {};
 
+    $base_url = HTML::Entities::encode($base_url);
+
     $current_page = looks_like_number($current_page) ? $current_page : undef;
     $nb_pages     = looks_like_number($nb_pages)     ? $nb_pages     : undef;
 
-- 
2.20.1