From f94162564ad57ac9747d3967ba6671d982545dbc Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 9 Aug 2017 14:08:24 -0300 Subject: [PATCH] Bug 18726: Fix XSS at the OPAC - biblionumber The biblionumber parameter is sent by the user, we must escape all of them to avoid XSS. Fixes: Cross-site scripting OPAC pages Signed-off-by: Amit Gupta Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../bootstrap/en/includes/opac-bottom.inc | 6 ++-- .../en/includes/opac-detail-sidebar.inc | 14 ++++---- .../bootstrap/en/modules/opac-ISBDdetail.tt | 2 +- .../bootstrap/en/modules/opac-MARCdetail.tt | 12 +++---- .../en/modules/opac-alert-subscribe.tt | 10 +++--- .../bootstrap/en/modules/opac-detail.tt | 34 +++++++++---------- .../en/modules/opac-full-serial-issues.tt | 6 ++-- .../en/modules/opac-serial-issues.tt | 2 +- 8 files changed, 43 insertions(+), 43 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-bottom.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-bottom.inc index 80626e09e2..834669144d 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-bottom.inc +++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-bottom.inc @@ -154,15 +154,15 @@ $.widget.bridge('uitooltip', $.ui.tooltip); return false; }); $("#ulactioncontainer > ul > li > a.addtoshelf").on("click",function(){ - Dopop('opac-addbybiblionumber.pl?biblionumber=[% biblionumber %]'); + Dopop('opac-addbybiblionumber.pl?biblionumber=[% biblionumber | html %]'); return false; }); $(".addrecord").on("click",function(){ - addRecord('[% biblionumber %]'); + addRecord('[% biblionumber | html %]'); return false; }); $(".cartRemove").on("click",function(){ - delSingleRecord('[% biblionumber %]'); + delSingleRecord('[% biblionumber | html %]'); return false; }); $(".clearsh").on("click", function(){ diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc index 17fd0e8468..5e96b0f6bf 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc +++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc @@ -4,7 +4,7 @@ [% IF Koha.Preference( 'opacuserlogin' ) == 1 %] [% IF Koha.Preference( 'RequestOnOpac' ) == 1 %] [% IF ( AllowOnShelfHolds OR ItemsIssued ) %] -
  • Place hold
  • +
  • Place hold
  • [% END %] [% END %] [% END %] @@ -14,21 +14,21 @@ [% IF Koha.Preference( 'opacuserlogin' ) == 1 %] [% IF Koha.Preference('ArticleRequests') %] -
  • Request article
  • +
  • Request article
  • [% END %] [% END %] [% IF Koha.Preference( 'virtualshelves' ) == 1 %] [% IF ( ( Koha.Preference( 'opacuserlogin' ) == 1 ) && loggedinusername ) %] -
  • Save to your lists
  • +
  • Save to your lists
  • [% END %] [% END %] [% IF Koha.Preference( 'opacbookbag' ) == 1 %] [% IF ( incart ) %] -
  • In your cart (remove)
  • +
  • In your cart (remove)
  • [% ELSE %] -
  • Add to your cart
  • +
  • Add to your cart
  • [% END %] [% END %] @@ -51,7 +51,7 @@
  • Dublin Core
  • [% ELSE %]
  • - + [% SWITCH option %] [% CASE 'bibtex' %]BIBTEX [% CASE 'endnote' %]EndNote @@ -107,7 +107,7 @@
    - +