From 84c5bebcd3a93d21bd7b800b63ba3506adcaf0bf Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 09:23:13 +0530 Subject: [PATCH] Bug 19105 - XSS Stored in holidays.pl To Test 1. Hit the page /cgi-bin/koha/tools/holidays.pl 2. Select the date 3. Add a text in the field Title and Description that contains js 4. Save the page. 5. Notice js is execute 6. Apply patch and reload, the js is escaped Fixed for all holidays Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 1ceb4367c6879be812b600487385c53bb005260d) Signed-off-by: Fridolin Somers --- .../prog/en/modules/tools/holidays.tt | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/holidays.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/holidays.tt index 4aa4e3a327..e81b14f785 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/holidays.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/holidays.tt @@ -17,17 +17,17 @@ var day_month_holidays = new Array(); var hola= "[% code %]"; [% FOREACH WEEK_DAYS_LOO IN WEEK_DAYS_LOOP %] - week_days["[% WEEK_DAYS_LOO.KEY %]"] = {title:"[% WEEK_DAYS_LOO.TITLE | replace('"','\"') %]", description:"[% WEEK_DAYS_LOO.DESCRIPTION | replace('"','\"') %]"}; + week_days["[% WEEK_DAYS_LOO.KEY %]"] = {title:"[% WEEK_DAYS_LOO.TITLE | replace('"','\"') |html %]", description:"[% WEEK_DAYS_LOO.DESCRIPTION | replace('"','\"') |html %]"}; [% END %] [% FOREACH HOLIDAYS_LOO IN HOLIDAYS_LOOP %] holidates.push("[% HOLIDAYS_LOO.KEY %]"); - holidays["[% HOLIDAYS_LOO.KEY %]"] = {title:"[% HOLIDAYS_LOO.TITLE | replace('"','\"') %]", description:"[% HOLIDAYS_LOO.DESCRIPTION | replace('"','\"') %]"}; + holidays["[% HOLIDAYS_LOO.KEY %]"] = {title:"[% HOLIDAYS_LOO.TITLE | replace('"','\"') |html %]", description:"[% HOLIDAYS_LOO.DESCRIPTION | replace('"','\"') |html %]"}; [% END %] [% FOREACH EXCEPTION_HOLIDAYS_LOO IN EXCEPTION_HOLIDAYS_LOOP %] - exception_holidays["[% EXCEPTION_HOLIDAYS_LOO.KEY %]"] = {title:"[% EXCEPTION_HOLIDAYS_LOO.TITLE | replace('"','\"') %]", description:"[% EXCEPTION_HOLIDAYS_LOO.DESCRIPTION | replace('"','\"') %]"}; + exception_holidays["[% EXCEPTION_HOLIDAYS_LOO.KEY %]"] = {title:"[% EXCEPTION_HOLIDAYS_LOO.TITLE | replace('"','\"') |html %]", description:"[% EXCEPTION_HOLIDAYS_LOO.DESCRIPTION | replace('"','\"') |html %]"}; [% END %] [% FOREACH DAY_MONTH_HOLIDAYS_LOO IN DAY_MONTH_HOLIDAYS_LOOP %] - day_month_holidays["[% DAY_MONTH_HOLIDAYS_LOO.KEY %]"] = {title:"[% DAY_MONTH_HOLIDAYS_LOO.TITLE | replace('"','\"') %]", description:"[% DAY_MONTH_HOLIDAYS_LOO.DESCRIPTION | replace('"','\"') %]"}; + day_month_holidays["[% DAY_MONTH_HOLIDAYS_LOO.KEY %]"] = {title:"[% DAY_MONTH_HOLIDAYS_LOO.TITLE | replace('"','\"') |html %]", description:"[% DAY_MONTH_HOLIDAYS_LOO.DESCRIPTION | replace('"','\"') |html %]"}; [% END %] function holidayOperation(formObject, opType) { @@ -446,8 +446,8 @@ td.repeatableyearly a.ui-state-default { background: #FFCC66 none; color : Bl [% FOREACH EXCEPTION_HOLIDAYS_LOO IN EXCEPTION_HOLIDAYS_LOOP %] [% EXCEPTION_HOLIDAYS_LOO.DATE %] - [% EXCEPTION_HOLIDAYS_LOO.TITLE %] - [% EXCEPTION_HOLIDAYS_LOO.DESCRIPTION %] + [% EXCEPTION_HOLIDAYS_LOO.TITLE |html %] + [% EXCEPTION_HOLIDAYS_LOO.DESCRIPTION |html %] [% END %] @@ -469,8 +469,8 @@ td.repeatableyearly a.ui-state-default { background: #FFCC66 none; color : Bl [% WEEK_DAYS_LOO.KEY %] - [% WEEK_DAYS_LOO.TITLE %] - [% WEEK_DAYS_LOO.DESCRIPTION %] + [% WEEK_DAYS_LOO.TITLE |html %] + [% WEEK_DAYS_LOO.DESCRIPTION |html %] [% END %] @@ -495,8 +495,8 @@ td.repeatableyearly a.ui-state-default { background: #FFCC66 none; color : Bl [% FOREACH DAY_MONTH_HOLIDAYS_LOO IN DAY_MONTH_HOLIDAYS_LOOP %] [% DAY_MONTH_HOLIDAYS_LOO.DATE %] - [% DAY_MONTH_HOLIDAYS_LOO.TITLE %] - [% DAY_MONTH_HOLIDAYS_LOO.DESCRIPTION %] + [% DAY_MONTH_HOLIDAYS_LOO.TITLE |html %] + [% DAY_MONTH_HOLIDAYS_LOO.DESCRIPTION |html %] [% END %] @@ -517,8 +517,8 @@ td.repeatableyearly a.ui-state-default { background: #FFCC66 none; color : Bl [% FOREACH HOLIDAYS_LOO IN HOLIDAYS_LOOP %] [% HOLIDAYS_LOO.DATE %] - [% HOLIDAYS_LOO.TITLE %] - [% HOLIDAYS_LOO.DESCRIPTION.replace('\\\r\\\n', '
') %] + [% HOLIDAYS_LOO.TITLE |html %] + [% HOLIDAYS_LOO.DESCRIPTION.replace('\\\r\\\n', '
') |html %] [% END %] -- 2.39.5