From c27216cce84fe07c962a8878be51025c9fe0aace Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 2 Aug 2016 16:02:07 +0100 Subject: [PATCH] Bug 16800: Fix XSS in catalogue/*detail.tt - title MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Test plan: catalogue a bibliographic record with a title= Go on the detail pages. => Without this patch you will see the alert => With this patch, no more alert Signed-off-by: Chris Cormack This of course means that any html in the title will no longer be evaluated. : Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit 515208d5ec308ade967efe04388bbedbf5f2b057) Signed-off-by: Frédéric Demians --- .../intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt | 2 +- .../intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt | 2 +- koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt | 4 ++-- .../prog/en/modules/catalogue/labeledMARCdetail.tt | 6 +++--- .../intranet-tmpl/prog/en/modules/catalogue/moredetail.tt | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt index 1c61305cf2..abe3ea225c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt @@ -3,7 +3,7 @@ [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - ISBD details for [% title %] + ISBD details for [% title | html %] [% END %] [% INCLUDE 'doc-head-close.inc' %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt index 992bd0afc2..1c329635ac 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt @@ -3,7 +3,7 @@ [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - MARC details for [% bibliotitle %] + MARC details for [% bibliotitle | html %] [% END %] [% INCLUDE 'doc-head-close.inc' %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt index 5b59e1ccb0..8dd72cf8e6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt @@ -22,7 +22,7 @@ [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - Details for [% title |html %] [% FOREACH subtitl IN subtitle %] [% subtitl.subfield %][% END %] + Details for [% title |html %] [% FOREACH subtitl IN subtitle %] [% subtitl.subfield | html %][% END %] [% END %] [% INCLUDE 'doc-head-close.inc' %]