From acf91323c5253db5058812628bca58193054c65b Mon Sep 17 00:00:00 2001 From: David Cook Date: Wed, 13 Sep 2023 01:33:43 +0000 Subject: [PATCH] Bug 34761: Prevent XSS for searches and saved search filters tags are interpreted in JSON strings as HTML, which can lead to XSS attacks. This patch puts HTML escaped JSON in the value of a hidden HTML element. The Javascript then takes the value as a string, parses it as JSON, and is able to use it to save search filters without triggering a XSS attack. This patch also adds DataTable's built-in HTML escaping for the query and limits on the admin UI for the search filters. Test plan: 0. Apply patch 1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=SavedSearchFilters 2. Enable the system preference 3. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 4. Click "Save search as filter" 5. Checkbox "Show in staff interface?" 6. Type "E-TEST" into box and click 'Save' 7. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e 8. Click "E-TEST" under "Custom search filters" 9. Note that you see search results 10. Go to http://localhost:8081/cgi-bin/koha/admin/search_filters.pl 11. Note that for "E-TEST" you see a "Query" like {"operators":[],"operands":["e"],"indexes":[]} 12. Note that for "E-TEST" you see a "Limits" like {"limits":[]} Signed-off-by: Lucas Gass Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 4e32b761986f5de28df4f1125b5d16c6c2f24306) Signed-off-by: Fridolin Somers --- .../intranet-tmpl/prog/en/modules/admin/search_filters.tt | 6 ++++-- .../intranet-tmpl/prog/en/modules/catalogue/results.tt | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt index 239ee38597..3a6fa540c6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/search_filters.tt @@ -114,12 +114,14 @@ { "data": "query", "searchable": true, - "orderable": true + "orderable": true, + "render": jQuery.fn.DataTable.render.text() }, { "data": "limits", "searchable": true, - "orderable": true + "orderable": true, + "render": jQuery.fn.DataTable.render.text() }, { "data": "opac", diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt index df1d92eeaa..9f3de2ed33 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt @@ -777,6 +777,8 @@ + + [% MACRO jsinclude BLOCK %] [% Asset.js("js/browser.js") | $raw %] [% Asset.js("lib/hc-sticky.js") | $raw %] @@ -817,8 +819,8 @@ query_desc: "[% To.json( query_desc ) | html %]", query_cgi: "[% query_cgi | html %]", limit_cgi: "[% limit_cgi | html %]", - query_json: [% query_json | $raw %], - limit_json: [% limit_json | $raw %], + query_json: JSON.parse($('#query_json').val()), + limit_json: JSON.parse($('#limit_json').val()), sort_by: "[% sort_by | html %]", gotoPage: "[% gotoPage | html %]", gotoNumber: "[% gotoNumber | html %]", -- 2.39.5