From 951f3346a25c7f2883f834398055c2413b8f9c9b Mon Sep 17 00:00:00 2001
From: Chris Cormack <chrisc@catalyst.net.nz>
Date: Wed, 10 Dec 2014 12:47:30 +1300
Subject: [PATCH] Bug 13425 - XSS in intranet facets - Patch for 3.18 and
 master

To Test
1/ Craft a url like /cgi-bin/koha/catalogue/search.pl?q=smith&sort_by='"><script>prompt('Happy_Holidays')</script>

It is important it must return results and facets

2/ Notice the js is executed
3/ Apply the patch test again

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
No prompts, no functional regressions found.
Checked selecting and undoing facets, show more links and paging.
Signed-off-by: Mason James <mtj@kohaaloha.com>

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
---
 koha-tmpl/intranet-tmpl/prog/en/includes/facets.inc       | 6 +++---
 koha-tmpl/intranet-tmpl/prog/en/includes/page-numbers.inc | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/facets.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/facets.inc
index 97891eb5b8..96691fe03b 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/facets.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/facets.inc
@@ -3,7 +3,7 @@
 <div id="search-facets">
 <h4>Refine your search</h4>
 <ul>
-    <li id="availability_facet">Availability<ul><li>[% IF ( available ) %]Showing only <strong>available</strong> items. <a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi_not_availablity %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by %][% END %]">Show all items</a>[% ELSE %]Limit to <a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by %][% END %]&amp;limit=available">currently available items.</a>[% END %]</li></ul>
+    <li id="availability_facet">Availability<ul><li>[% IF ( available ) %]Showing only <strong>available</strong> items. <a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi_not_availablity %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |url %][% END %]">Show all items</a>[% ELSE %]Limit to <a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |url %][% END %]&amp;limit=available">currently available items.</a>[% END %]</li></ul>
 	[% IF ( related ) %] <li>(related searches: [% FOREACH relate IN related %][% relate.related_search %][% END %])</li>[% END %]
 	</li>
 
@@ -33,7 +33,7 @@
       [% IF facet.active %]
         [% SET url = url _ "&amp;nolimit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %]
         <span class="facet-label">[% facet.facet_label_value %]</span>
-        [<a href="[% url %]" title="Remove facet [% facet.facet_title_value | html %]">x</a>]
+        [<a href="[% url |url%]" title="Remove facet [% facet.facet_title_value | html %]">x</a>]
       [% ELSE %]
         [% SET url = url _ "&amp;limit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %]
         <span class="facet-label"><a href="[% url %]" title="[% facet.facet_title_value |html %]">[% facet.facet_label_value %]</a></span>
@@ -44,7 +44,7 @@
     </li>
   [% END %]
   [% IF ( facets_loo.expandable ) %]
-    <li class="showmore"><a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by %][% END %][% IF ( offset ) %]&amp;offset=[% offset %][% END %]&amp;expand=[% facets_loo.expand %]#[% facets_loo.type_id %]">Show more</a></li>
+    <li class="showmore"><a href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |url%][% END %][% IF ( offset ) %]&amp;offset=[% offset %][% END %]&amp;expand=[% facets_loo.expand %]#[% facets_loo.type_id %]">Show more</a></li>
   [% END %]
 </ul></li>
 [% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/page-numbers.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/page-numbers.inc
index a0f6abb75e..2992164929 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/page-numbers.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/page-numbers.inc
@@ -1,7 +1,7 @@
 [% IF ( PAGE_NUMBERS ) %]<div class="pages">
     <!-- Row of numbers corresponding to search result pages -->
-        [% IF ( previous_page_offset.defined ) %]<a class="nav" href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %]&amp;offset=[% previous_page_offset %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by %][% END %]">&lt;&lt; Previous</a>[% END %]
-    [% FOREACH PAGE_NUMBER IN PAGE_NUMBERS %][% IF ( PAGE_NUMBER.highlight ) %]<span class="current">[% PAGE_NUMBER.pg %]</span>[% ELSE %]        <a class="nav" href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %]&amp;offset=[% PAGE_NUMBER.offset %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by %][% END %]">[% PAGE_NUMBER.pg %]</a>[% END %]
+        [% IF ( previous_page_offset.defined ) %]<a class="nav" href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %]&amp;offset=[% previous_page_offset %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |url %][% END %]">&lt;&lt; Previous</a>[% END %]
+    [% FOREACH PAGE_NUMBER IN PAGE_NUMBERS %][% IF ( PAGE_NUMBER.highlight ) %]<span class="current">[% PAGE_NUMBER.pg %]</span>[% ELSE %]        <a class="nav" href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %]&amp;offset=[% PAGE_NUMBER.offset %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |url %][% END %]">[% PAGE_NUMBER.pg %]</a>[% END %]
     [% END %]
-        [% IF ( next_page_offset ) %]<a class="nav" href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %]&amp;offset=[% next_page_offset %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by %][% END %]">Next &gt;&gt;</a>[% END %]
+        [% IF ( next_page_offset ) %]<a class="nav" href="/cgi-bin/koha/catalogue/search.pl?[% query_cgi |html %][% limit_cgi |html %]&amp;offset=[% next_page_offset %][% IF ( sort_by ) %]&amp;sort_by=[% sort_by |url %][% END %]">Next &gt;&gt;</a>[% END %]
 </div>[% END %]
-- 
2.39.5