From 60983cfeeec5de1f961228dfc3c59d96f8aa177e Mon Sep 17 00:00:00 2001
From: Galen Charlton <galen.charlton@liblime.com>
Date: Wed, 30 Apr 2008 17:09:14 -0500
Subject: [PATCH] kohabug 2026 - HTML-escape comments

This is a partial, perhaps temporary fix.  "<", ">",
and "&" characters in patron comments (AKA reviews)
are converted to "&lt;", "&gt;", and "&amp;" to avoid
certain attacks, e.g., a user entering a <script> tag
in a comment.

A more permanent fix should scrub all (or perhaps just
unsafe) tags from submitted comments entirely.

Signed-off-by: Joshua Ferraro <jmf@liblime.com>
---
 .../intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl | 2 +-
 koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl      | 4 ++--
 koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl          | 4 ++--
 koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl          | 4 ++--
 koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl     | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
index 035013588b..8fbcd88dd7 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
@@ -58,7 +58,7 @@ $.tablesorter.addParser({
             <a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber" -->"><!-- TMPL_VAR NAME="bibliotitle" --></a>
         </td>
         <td>
-            <!-- TMPL_VAR NAME="review" -->
+            <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
         </td>
         <td>
             <a href="/cgi-bin/koha/reviews/reviewswaiting.pl?op=approve&amp;reviewid=<!-- TMPL_VAR NAME="reviewid" -->">Approve</a> |
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
index 1e36185ab8..f892b4a097 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
@@ -129,7 +129,7 @@
                 <!--TMPL_VAR NAME="datereviewed"-->
             </small>
         <p>
-          <!--TMPL_VAR NAME="review"-->
+          <!--TMPL_VAR NAME="review" ESCAPE="HTML"-->
         </p>
         <!--/TMPL_LOOP-->
     <!-- TMPL_ELSE  -->
@@ -185,4 +185,4 @@
 </div>
 	<!-- TMPL_IF NAME="OpacNav" --><div class="yui-b"><!--TMPL_INCLUDE NAME="navigation.inc" --></div><!-- /TMPL_IF -->
 </div>
-<!-- TMPL_INCLUDE NAME="opac-bottom.inc" -->
\ No newline at end of file
+<!-- TMPL_INCLUDE NAME="opac-bottom.inc" -->
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
index e3e0ed5f39..6afef419d8 100755
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
@@ -419,7 +419,7 @@
 			</h5>
 			<small><!-- TMPL_VAR NAME="datereviewed" --></small>
         <p>
-          <!-- TMPL_VAR NAME="review" -->
+          <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
 		  <a href="#" onclick="Dopop('/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&amp;reviewid=<!-- TMPL_VAR NAME="reviewid" -->');">Edit</a>
         </p></div>
 			<!-- TMPL_ELSE -->
@@ -432,7 +432,7 @@
             </h5>
 			<small><!-- TMPL_VAR NAME="datereviewed" --></small>
         <p>
-          <!-- TMPL_VAR NAME="review" -->
+          <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
         </p></div>
 			<!-- /TMPL_IF -->
         <!-- /TMPL_LOOP -->
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
index 146d60b119..4528d71492 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
@@ -24,13 +24,13 @@
 		$('#reviewf').submit( function() {
 			<!-- TMPL_IF NAME="reviewid" -->
 			parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').prev("small").prev("h5").html("Your Edited Comment (preview, pending approval)");
-			parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').html($("#review").val());
+			parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').html($("#review").val().replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'));
 			parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').append(" <a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&amp;reviewid=<!-- TMPL_VAR NAME="reviewid" -->\');\">Edit</a>");
 			window.close();
 			<!-- TMPL_ELSE -->
 			parent.opener.$('#newcomment').attr("class","yours");
 			parent.opener.$('#newcomment').html("<h5>Your Comment (preview, pending approval)</h5>");
-			parent.opener.$('#newcomment').append("<p>"+$("#review").val());
+			parent.opener.$('#newcomment').append("<p>"+$("#review").val().replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'));
 			parent.opener.$('#newcomment p').append(" <a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&amp;reviewid=<!-- TMPL_VAR NAME="reviewid" -->\');\">Edit</a></p>");
 			parent.opener.$("#addcomment").prev("p").remove();
 			parent.opener.$("#addcomment").remove();
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
index 7e44348e57..4d3bf1860d 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
@@ -19,7 +19,7 @@
     </tr>
     <tr>
         <td>
-            <!--TMPL_VAR NAME="review"-->
+            <!--TMPL_VAR NAME="review" ESCAPE="HTML"-->
             <p><!--TMPL_VAR NAME="datereviewed"--></p>
         </td>
     </tr>
-- 
2.39.5