Bug 34023: Prevent HTML injection in "back to results" link from search page
It is possible inject raw HTML into the "Back to search results" link by leading the user to a search with specially crafted URL.
For example, using the demo instance:
1. Visit https://koha.adminkuhn.ch/cgi-bin/koha/opac-search.pl?idx=&q=test&weight_search=1&%22%3Etest%3Ca%20foo=%22
2. Refresh the page (for some reason, "back to results" doesn't appear unless I do that at least once).
3. Click any result.
Note that the result page now contains:
<a href="opac-search.pl?idx=&q=test&weight_search=1&">test<a foo=%22" title="...
i.e. `">test<a ...` was successfully injected into the HTML.
I'm attaching a quick patch I've used to patch up our instance. It just indiscriminately URI-escapes all parameter keys. I didn't decode them back since as far as I understand all valid keys do not contain special characters.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit
863d8fed15411b03adfe2105fc7d4b2321fea0b9)
Signed-off-by: danyonsewell <danyonsewell@catalyst.net.nz>
projects / koha.git / commit