From e4341e2d2d4d9249cd7889e69107436ce03f816e Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 4 May 2021 11:48:03 +0200 Subject: [PATCH] Bug 27942: [20.11] Prevent XSS vulnerabilities in quote-upload Signed-off-by: Victor Grousset/tuxayo --- .../prog/en/modules/tools/quotes-upload.tt | 3 +++ .../intranet-tmpl/prog/en/modules/tools/quotes.tt | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes-upload.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes-upload.tt index 8103d17abd..f01dcfa02d 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes-upload.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes-upload.tt @@ -148,6 +148,8 @@ // then default to comma. strDelimiter = (strDelimiter || ","); + strData = escape_str(strData); + // Create a regular expression to parse the CSV values. var objPattern = new RegExp( ( @@ -274,6 +276,7 @@ "fnDrawCallback": function(oSettings) { /* Apply the jEditable handlers to the table on all fields w/o the no_edit id */ $('#quotes_editor tbody td[id!="no_edit"]').editable( function(value, settings) { + value = escape_str(value); var cellPosition = oTable.fnGetPosition( this ); oTable.fnUpdate(value, cellPosition[0], cellPosition[1], false, false); return(value); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes.tt index 5339069a0f..c42f41d83a 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes.tt @@ -86,8 +86,18 @@ "sAjaxSource" : "/cgi-bin/koha/tools/quotes/quotes_ajax.pl", "aoColumns" : [ { "sWidth": "3%" }, - { "sWidth": "11%" }, - { "sWidth": "75%" }, + { + "sWidth": "11%", + "render": function(data, type, row, meta){ + return escape_str(data); + } + }, + { + "sWidth": "75%", + "render": function(data, type, row, meta){ + return escape_str(data); + } + }, { "sWidth": "11%" }, ], "oLanguage": dataTablesDefaults.oLanguage, -- 2.39.5