From 515208d5ec308ade967efe04388bbedbf5f2b057 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 2 Aug 2016 16:02:07 +0100 Subject: [PATCH] Bug 16800: Fix XSS in catalogue/*detail.tt - title Test plan: catalogue a bibliographic record with a title= Go on the detail pages. => Without this patch you will see the alert => With this patch, no more alert Signed-off-by: Chris Cormack This of course means that any html in the title will no longer be evaluated. : Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall --- .../intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt | 2 +- .../intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt | 2 +- koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt | 4 ++-- .../prog/en/modules/catalogue/labeledMARCdetail.tt | 6 +++--- .../intranet-tmpl/prog/en/modules/catalogue/moredetail.tt | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt index 1c61305cf2..abe3ea225c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/ISBDdetail.tt @@ -3,7 +3,7 @@ [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - ISBD details for [% title %] + ISBD details for [% title | html %] [% END %] [% INCLUDE 'doc-head-close.inc' %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt index 992bd0afc2..1c329635ac 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/MARCdetail.tt @@ -3,7 +3,7 @@ [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - MARC details for [% bibliotitle %] + MARC details for [% bibliotitle | html %] [% END %] [% INCLUDE 'doc-head-close.inc' %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt index bd1913ffa8..aaded627df 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt @@ -22,7 +22,7 @@ [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - Details for [% title |html %] [% FOREACH subtitl IN subtitle %] [% subtitl.subfield %][% END %] + Details for [% title |html %] [% FOREACH subtitl IN subtitle %] [% subtitl.subfield | html %][% END %] [% END %] @@ -346,7 +346,7 @@ function verify_images() { [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - Details for [% title |html %] [% FOREACH subtitl IN subtitle %] [% subtitl.subfield %][% END %] + Details for [% title |html %] [% FOREACH subtitl IN subtitle %] [% subtitl.subfield | html %][% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/labeledMARCdetail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/labeledMARCdetail.tt index 957f6cec46..25c640720a 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/labeledMARCdetail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/labeledMARCdetail.tt @@ -4,7 +4,7 @@ [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - Labeled MARC details for [% bibliotitle %] + Labeled MARC details for [% bibliotitle | html %] [% END %] @@ -38,7 +38,7 @@ [% IF ( unknownbiblionumber ) %] Unknown record [% ELSE %] - MARC details for [% bibliotitle %] + MARC details for [% bibliotitle | html %] [% END %] @@ -55,7 +55,7 @@ [% INCLUDE 'cat-toolbar.inc' %] [% UNLESS ( popup ) %] -

Labeled MARC biblio : [% biblionumber %] ( [% bibliotitle %] )

+

Labeled MARC biblio : [% biblionumber %] ( [% bibliotitle | html %] )

[% END %]

With framework: