From 6b844169fd06b2954146a6eae41adcfffd1e31fb Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 28 Aug 2024 12:18:06 +0200 Subject: [PATCH] Bug 37720: Prevent XSS in label creator Because labels/label-edit-batch.pl fills a DataTable with things that include a link created by C4/Creators/Lib.pm, it outputs them with the $raw filter, so HTML in author/title/callnumber is executed in the label batch editor. While we wait for a fix that moves the link creation into the template and out of C4, encoding HTML in Lib.pm for the bits going into the link, and switching from $raw to the html filter for the rest of the things, will at least get rid of the XSS. Test plan: 1. Without this patch, but with the patch from bug 37654 so you don't get alert()s in batch import, download attachment 170675 [details] 2. Cataloging - Stage records for import - browse to the downloaded file - Upload file - when the upload finishes Stage for import - when staging finishes View batch (get alert()s if you didn't apply bug 37654) - Import this batch into the catalog 3. Once the import finishes, Cataloging - Manage staged records 4. In the row for your import, in the # Items column, click "(Create label batch)" 5. In the "Label batch #n created" message, click the link to the batch # 6. Because the batch includes a call number with an open