From 4333617b1d33b2c7c0488de593c76ac79f4ebf70 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Mon, 13 Nov 2017 09:05:14 +0530 Subject: [PATCH] Bug 19612: Fix XSS in members/memberentry.pl To Test 1. Hit the page /cgi-bin/koha/members/memberentry.pl 2. Add a text in the field address, address2, city, state, country, zipcode, B_streetnumber, B_city, B_country, B_zipcode that contains js 3. Save the page. 4. Notice js is execute 5. Apply patch and reload, the js is escaped Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Jonathan Druart Signed-off-by: Nick Clemens --- .../member-display-address-style-us.inc | 8 ++++---- .../member-display-alt-address-style-us.inc | 8 ++++---- .../prog/en/modules/members/moremember.tt | 20 +++++++++---------- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/member-display-address-style-us.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/member-display-address-style-us.inc index d8dc12ffb7..2e80d33f88 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/member-display-address-style-us.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/member-display-address-style-us.inc @@ -4,13 +4,13 @@ [% IF streettype %] [% SET roadtype_desc = AuthorisedValues.GetByCode('ROADTYPE', streettype) %] [% END %] -
  • [% if (streetnumber) %][% streetnumber %][% end %] [% address %] [% IF roadtype_desc %][% roadtype_desc %] [% END %][% end %]
  • +
  • [% if (streetnumber) %][% streetnumber |html %][% end %] [% address |html %] [% IF roadtype_desc %][% roadtype_desc |html %] [% END %][% end %]
  • [% END %] [% IF ( address2 ) %] -
  • [% address2 %]
  • +
  • [% address2 |html %]
  • [% END %] [% END %] [% IF ( city ) %]
  • - [% city %][% IF ( state ) %], [% state %][% END %] - [% zipcode %][% IF ( country ) %], [% country %][% END %]
  • + [% city |html %][% IF ( state ) %], [% state |html %][% END %] + [% zipcode |html %][% IF ( country ) %], [% country |html %][% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/member-display-alt-address-style-us.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/member-display-alt-address-style-us.inc index a138b6e623..78830ff30e 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/member-display-alt-address-style-us.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/member-display-alt-address-style-us.inc @@ -4,13 +4,13 @@ [% IF B_streettype %] [% SET roadtype_desc = AuthorisedValues.GetByCode('ROADTYPE', B_streettype) %] [% END %] -
  • [% if (B_streetnumber) %][% B_streetnumber %][% end %] [% B_address %] [% IF roadtype_desc %][% roadtype_desc %] [% END %][% end %]
  • +
  • [% if (B_streetnumber) %][% B_streetnumber |html %][% end %] [% B_address |html %] [% IF roadtype_desc %][% roadtype_desc |html %] [% END %][% end %]
  • [% END %] [% IF ( B_address2 ) %] -
  • [% B_address2 %]
  • +
  • [% B_address2 |html %]
  • [% END %] [% END %] [% IF ( B_city ) %]
  • - [% B_city %][% IF ( B_state ) %], [% B_state %][% END %] - [% B_zipcode %][% IF ( B_country ) %], [% B_country %][% END %]
  • + [% B_city |html %][% IF ( B_state ) %], [% B_state |html %][% END %] + [% B_zipcode |html %][% IF ( B_country ) %], [% B_country |html %][% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt index 83e964ae5a..180d941562 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt @@ -238,11 +238,11 @@ function validate1(date) { [% IF ( phone ) %]
  • Primary phone: [% phone | html %]
  • [% END %] [% IF ( phonepro ) %]
  • Secondary phone: [% phonepro | html %]
  • [% END %] [% IF ( mobile ) %]
  • Other phone: [% mobile | html %]
  • [% END %] - [% IF ( fax ) %]
  • Fax: [% fax %]
  • [% END %] + [% IF ( fax ) %]
  • Fax: [% fax |html %]
  • [% END %] [% IF ( email ) %][% END %] [% IF ( emailpro ) %][% END %] [% UNLESS ( I ) %] - [% IF ( initials ) %]
  • Initials: [% initials %]
  • [% END %] + [% IF ( initials ) %]
  • Initials: [% initials | html %]
  • [% END %] [% IF ( dateofbirth ) %]
  • Date of birth:[% dateofbirth | $KohaDates %] ([% age %] years)
  • [% END %] [% IF ( sex ) %]
  • Gender: [% IF ( sex == 'F' ) %]Female[% ELSIF ( sex == 'M' ) %]Male[% ELSE %][% sex %][% END %] @@ -422,9 +422,9 @@ function validate1(date) { [% END %]
  • - [% IF ( sort1 ) %]
  • Sort field 1:[% AuthorisedValues.GetByCode('Bsort1', sort1) %]
  • [% END %] - [% IF ( sort2 ) %]
  • Sort field 2:[% AuthorisedValues.GetByCode('Bsort2', sort2) %]
  • [% END %] -
  • Username: [% userid %]
  • + [% IF ( sort1 ) %]
  • Sort field 1:[% AuthorisedValues.GetByCode('Bsort1', sort1) |html %]
  • [% END %] + [% IF ( sort2 ) %]
  • Sort field 2:[% AuthorisedValues.GetByCode('Bsort2', sort2) |html %]
  • [% END %] +
  • Username: [% userid |html %]
  • Password: [% IF ( password ) %] ******* @@ -432,8 +432,8 @@ function validate1(date) { Undefined [% END %]
  • - [% IF ( borrowernotes ) %]
  • Circulation note: [% borrowernotes %]
  • [% END %] - [% IF ( opacnote ) %]
  • OPAC note:[% opacnote %]
  • [% END %] + [% IF ( borrowernotes ) %]
  • Circulation note: [% borrowernotes |html %]
  • [% END %] + [% IF ( opacnote ) %]
  • OPAC note:[% opacnote |html %]
  • [% END %] [% IF Koha.Preference( 'NorwegianPatronDBEnable' ) == 1 %] [% IF ( sync == 1 ) %]
  • Activate sync: Yes
  • @@ -475,9 +475,9 @@ function validate1(date) { [% END %]
      - [% IF ( B_phone ) %]
    1. Phone: [% B_phone %]
    2. [% END %] - [% IF ( B_email ) %][% END %] - [% IF ( contactnote ) %]
    3. Contact note: [% contactnote %]
    4. [% END %] + [% IF ( B_phone ) %]
    5. Phone: [% B_phone |html %]
    6. [% END %] + [% IF ( B_email ) %][% END %] + [% IF ( contactnote ) %]
    7. Contact note: [% contactnote |html %]
    8. [% END %]
    -- 2.39.5