From c60f7a3ffd44112912e5b1591cfff45fab37219c Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:41:13 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: authorities/blinddetail-biblio-search.tt Test the process of searching for and selecting an authority record for use in the basic MARC editor. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Andrew Fuerste-Henry --- .../en/modules/authorities/blinddetail-biblio-search.tt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt index 1aff010193..6a10d7d45d 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt @@ -30,11 +30,11 @@ [% IF ( clear ) %] var new_line = ""; [% ELSE %] - var new_line = " + var new_line = " [%- FOREACH SUBFIELD_LOO IN SUBFIELD_LOOP -%]‡ - [%- To.json( SUBFIELD_LOO.marc_subfield ) | $raw -%] + [%- To.json( SUBFIELD_LOO.marc_subfield ) | html -%] [%- FOREACH marc_value IN SUBFIELD_LOO.marc_values -%] - [%- To.json( marc_value ) | $raw -%] + [%- To.json( marc_value ) | html -%] [%- END -%] [%- END -%]‡9[% authid | html %]"; [% END %] -- 2.39.5