From 990aca1cb7548bcead783f40661acb156952d09a Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Tue, 2 Aug 2016 15:46:06 +0100
Subject: [PATCH] Bug 17029: Fix XSS in catalogue/*detail.pl
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Hit
  /cgi-bin/koha/catalogue/detail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/ISBDdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/MARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/moredetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/labeledMARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f3a8e5a4117a0e95969ff2856dfcd95a6935ec55)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 catalogue/ISBDdetail.pl        | 2 ++
 catalogue/MARCdetail.pl        | 4 +++-
 catalogue/detail.pl            | 2 ++
 catalogue/labeledMARCdetail.pl | 2 ++
 catalogue/moredetail.pl        | 2 ++
 5 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/catalogue/ISBDdetail.pl b/catalogue/ISBDdetail.pl
index 37c739c048..4e64484b25 100755
--- a/catalogue/ISBDdetail.pl
+++ b/catalogue/ISBDdetail.pl
@@ -36,6 +36,7 @@ This script needs a biblionumber as parameter
 use strict;
 #use warnings; FIXME - Bug 2505
 
+use HTML::Entities;
 use C4::Auth;
 use C4::Context;
 use C4::Output;
@@ -56,6 +57,7 @@ my $query = new CGI;
 my $dbh = C4::Context->dbh;
 
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 
 # open template
 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
diff --git a/catalogue/MARCdetail.pl b/catalogue/MARCdetail.pl
index ccf178e71d..63b41af476 100755
--- a/catalogue/MARCdetail.pl
+++ b/catalogue/MARCdetail.pl
@@ -45,11 +45,12 @@ the items attached to the biblio
 
 use strict;
 #use warnings; FIXME - Bug 2505
+use CGI qw ( -utf8 );
+use HTML::Entities;
 
 use C4::Auth;
 use C4::Context;
 use C4::Output;
-use CGI qw ( -utf8 );
 use C4::Koha;
 use MARC::Record;
 use C4::Biblio;
@@ -64,6 +65,7 @@ use List::MoreUtils qw( uniq );
 my $query        = new CGI;
 my $dbh          = C4::Context->dbh;
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $frameworkcode = $query->param('frameworkcode');
 $frameworkcode = GetFrameworkCode( $biblionumber ) unless ($frameworkcode);
 my $popup        =
diff --git a/catalogue/detail.pl b/catalogue/detail.pl
index 49176737cf..ebc138de93 100755
--- a/catalogue/detail.pl
+++ b/catalogue/detail.pl
@@ -19,6 +19,7 @@
 use Modern::Perl;
 
 use CGI qw ( -utf8 );
+use HTML::Entities;
 use C4::Acquisition qw( GetHistory );
 use C4::Auth;
 use C4::Koha;
@@ -58,6 +59,7 @@ my ( $template, $borrowernumber, $cookie, $flags ) = get_template_and_user(
 );
 
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $record       = GetMarcBiblio($biblionumber);
 
 if ( not defined $record ) {
diff --git a/catalogue/labeledMARCdetail.pl b/catalogue/labeledMARCdetail.pl
index 8ad2d22c8d..7c488e0fe3 100755
--- a/catalogue/labeledMARCdetail.pl
+++ b/catalogue/labeledMARCdetail.pl
@@ -20,6 +20,7 @@
 use strict;
 use warnings;
 use CGI qw ( -utf8 ); 
+use HTML::Entities;
 use MARC::Record;
 use C4::Auth;
 use C4::Context;
@@ -34,6 +35,7 @@ use C4::Koha qw( GetFrameworksLoop );
 my $query        = new CGI;
 my $dbh          = C4::Context->dbh;
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $frameworkcode = $query->param('frameworkcode');
 $frameworkcode = GetFrameworkCode( $biblionumber ) unless ($frameworkcode);
 my $popup        =
diff --git a/catalogue/moredetail.pl b/catalogue/moredetail.pl
index ef9de772cc..7ba2fbe429 100755
--- a/catalogue/moredetail.pl
+++ b/catalogue/moredetail.pl
@@ -23,6 +23,7 @@ use strict;
 #use warnings; FIXME - Bug 2505
 use C4::Koha;
 use CGI qw ( -utf8 );
+use HTML::Entities;
 use C4::Biblio;
 use C4::Items;
 use C4::Branch;
@@ -66,6 +67,7 @@ my $hidepatronname = C4::Context->preference("HidePatronName");
 # get variables
 
 my $biblionumber=$query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $title=$query->param('title');
 my $bi=$query->param('bi');
 $bi = $biblionumber unless $bi;
-- 
2.39.5