From 146f7314cf983ae20c35b2606acce7408e42e00e Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 17 Mar 2021 11:38:47 +0100 Subject: [PATCH] Bug 27942: Prevent XSS vulnerabilities in quote-upload MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When uploading new quotes the JS variables are not escaped correctly. Test plan: Create a new file with the following content (remove the first and last lines containing """): """ ":this is a source","this is a text" "this is another ❤one","and another text❤" "this ","and " """ Go to Home › Tools › Quote editor Click Import quote Select the file Edit the third line, hit enter Import quotes Signed-off-by: Martin Renvoize Signed-off-by: Julian Maurice Signed-off-by: Jonathan Druart --- .../intranet-tmpl/prog/en/modules/tools/quotes-upload.tt | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes-upload.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes-upload.tt index 5ff43b641d..9e4c9c027f 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes-upload.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/quotes-upload.tt @@ -175,6 +175,8 @@ // then default to comma. strDelimiter = (strDelimiter || ","); + strData = escape_str(strData); + // Create a regular expression to parse the CSV values. var objPattern = new RegExp( ( @@ -302,6 +304,7 @@ "fnDrawCallback": function(oSettings) { /* Apply the jEditable handlers to the table on all fields w/o the no_edit id */ $('#quotes_editor tbody td[id!="no_edit"]').editable( function(value, settings) { + value = escape_str(value); var cellPosition = oTable.fnGetPosition( this ); oTable.fnUpdate(value, cellPosition[0], cellPosition[1], false, false); return(value); @@ -368,7 +371,9 @@ function fnGetData(element) { var lines = oTable.fnGetData(); $(lines).each(function(line){ - var data = {source: this[1], text: this[2]}; + var s = this[1].replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>'); + var t = this[2].replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>'); + var data = {source: s, text: t}; var success = 0; var error = 0; $.ajax({ url : "/api/v1/quotes", -- 2.39.5