From 4a6a8e1242410d312942c4bb93a60117d0dc2dbf Mon Sep 17 00:00:00 2001 From: David Cook Date: Wed, 13 Sep 2023 01:33:43 +0000 Subject: [PATCH] Bug 34761: Prevent XSS for searches and saved search filters tags are interpreted in JSON strings as HTML, which can lead to XSS attacks. This patch puts HTML escaped JSON in the value of a hidden HTML element. The Javascript then takes the value as a string, parses it as JSON, and is able to use it to save search filters without triggering a XSS attack. This patch also adds DataTable's built-in HTML escaping for the query and limits on the admin UI for the search filters. Test plan: 0. Apply patch 1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters 2. Enable the system preference 3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 4. Click "Save search as filter" 5. Checkbox "Show in staff interface?" 6. Type "E-TEST" into box and click 'Save' 7. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 8. Click "E-TEST" under "Custom search filters" 9. Note that you see search results 10. Go to http://localhost:8081/cgi-bin/koha/admin/search_filters.pl 11. Note that for "E-TEST" you see a "Query" like {"operators":[],"operands":["e"],"indexes":[]} 12. Note that for "E-TEST" you see a "Limits" like {"limits":[]} Signed-off-by: Lucas Gass Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 4e32b761986f5de28df4f1125b5d16c6c2f24306) Signed-off-by: Matt Blenkinsop --- .../intranet-tmpl/prog/en/modules/admin/search_filters.tt | 6 ++++-- .../intranet-tmpl/prog/en/modules/catalogue/results.tt | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt index 239ee38597..3a6fa540c6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt @@ -114,12 +114,14 @@ { "data": "query", "searchable": true, - "orderable": true + "orderable": true, + "render": jQuery.fn.DataTable.render.text() }, { "data": "limits", "searchable": true, - "orderable": true + "orderable": true, + "render": jQuery.fn.DataTable.render.text() }, { "data": "opac", diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt index 9bd7246252..89de45cb2c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt @@ -771,6 +771,8 @@ + + [% MACRO jsinclude BLOCK %] [% Asset.js("js/browser.js") | $raw %] [% Asset.js("lib/hc-sticky.js") | $raw %] @@ -811,8 +813,8 @@ query_desc: "[% To.json( query_desc ) | html %]", query_cgi: "[% query_cgi | html %]", limit_cgi: "[% limit_cgi | html %]", - query_json: [% query_json | $raw %], - limit_json: [% limit_json | $raw %], + query_json: JSON.parse($('#query_json').val()), + limit_json: JSON.parse($('#limit_json').val()), sort_by: "[% sort_by | html %]", gotoPage: "[% gotoPage | html %]", gotoNumber: "[% gotoNumber | html %]", -- 2.39.5