From a61c072f1acb77906843a5be319412f959374bda Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 29 Sep 2016 08:46:49 +0100 Subject: [PATCH] Bug 17365: Fix XSS in moremember.pl and memberentry.pl MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit There are certainly hundred of places where they are not escaped... Test plan: Create a patron with "Arun " in some of the fields. Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Brendan Gallagher (cherry picked from commit 1d0d5f1398687ead3a17cd40f74f879e8ddf9a9d) Signed-off-by: Frédéric Demians --- .../prog/en/includes/circ-menu.inc | 14 ++--- .../prog/en/includes/patron-title.inc | 16 +++--- .../prog/en/modules/members/memberentrygen.tt | 46 ++++++++-------- .../prog/en/modules/members/moremember.tt | 52 +++++++++---------- 4 files changed, 64 insertions(+), 64 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc index a42384489a..8e83947c8a 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc @@ -8,9 +8,9 @@
    [% IF ( patronimages ) %] [% IF ( picture ) %] -
  • [% firstname %] [% surname %] ([% cardnumber %])
    • +
  • [% firstname | html %] [% surname | html %] ([% cardnumber | html %])
    • [% ELSE %] -
  • [% firstname %] [% surname %] ([% cardnumber %])
    • +
  • [% firstname | html %] [% surname | html %] ([% cardnumber | html %])
    • [% END %] [% END %] [% IF Koha.Preference( 'AddressFormat' ) %] @@ -20,21 +20,21 @@ [% END %] [% IF ( phone ) %]
  • - [% phone %] + [% phone | html %] [% ELSE %] [% IF ( mobile ) %] - [% mobile %] + [% mobile | html %] [% ELSE %] [% IF ( phonepro ) %] - [% phonepro %] + [% phonepro | html %] [% END %] [% END %]
    • [% END %] [% IF ( email ) %] - + [% ELSE %] [% IF ( emailpro ) %] - + [% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-title.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-title.inc index dbcab25ef1..caf45d6a15 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-title.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-title.inc @@ -1,27 +1,27 @@ [%- IF ( borrower.borrowernumber ) %] [%- IF borrower.category_type == 'I' %] - [%- borrower.surname %] [% IF borrower.othernames %] ([% borrower.othernames %]) [% END %] + [%- borrower.surname | html %] [% IF borrower.othernames %] ([% borrower.othernames | html %]) [% END %] [%- ELSE %] [%- IF invert_name %] - [%- borrower.surname %], [% borrower.firstname %] [% IF borrower.othernames %] ([% borrower.othernames %]) [% END %] + [%- borrower.surname | html %], [% borrower.firstname | html %] [% IF borrower.othernames %] ([% borrower.othernames | html %]) [% END %] [%- ELSE %] - [%- borrower.firstname %] [% IF borrower.othernames %] ([% borrower.othernames %]) [% END %] [% borrower.surname %] + [%- borrower.firstname | html %] [% IF borrower.othernames %] ([% borrower.othernames | html %]) [% END %] [% borrower.surname | html %] [%- END -%] [%- END -%] [%- IF ( borrower.cardnumber ) -%] - ([% borrower.cardnumber %]) + ([% borrower.cardnumber | html %]) [%- END %] [%- ELSIF ( borrowernumber ) %] [%- IF category_type == 'I' %] - [%- surname %] [% IF othernames %] ([% othernames %]) [% END %] + [%- surname | html %] [% IF othernames %] ([% othernames | html %]) [% END %] [%- ELSE %] [%- IF invert_name %] - [%- surname %], [% firstname %] [% IF othernames %] ([% othernames %]) [% END %] + [%- surname | html %], [% firstname | html %] [% IF othernames %] ([% othernames | html %]) [% END %] [%- ELSE %] - [%- firstname %] [% IF othernames %] ([% othernames %]) [% END %] [% surname %] + [%- firstname | html %] [% IF othernames %] ([% othernames | html %]) [% END %] [% surname | html %] [%- END %] [%- END -%] [%- IF ( cardnumber ) -%] - ([% cardnumber %]) + ([% cardnumber | html %]) [%- END %] [%- END -%] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt index 89559b82c3..54e755ea64 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt @@ -82,8 +82,8 @@ $(document).ready(function() { [% INCLUDE 'noadd-warnings.inc' %] [% UNLESS ( no_add ) %] -

    [% IF ( opadd ) %]Add[% ELSIF ( opduplicate ) %]Duplicate[% ELSE %] Modify[% END %] patron [% IF (firstname) %][% firstname %] [% END %][% IF (surname) %][% surname %] [% END %]([%IF ( categoryname ) %][% categoryname %][% ELSE %][% IF ( I ) %]Organization[% END %][% IF ( A ) %]Adult[% END %][% IF ( C ) %]Child[% END %][% IF ( P ) %]Professional[% END %][% IF ( S ) %]Staff[% END %][% END %])

    - +

    [% IF ( opadd ) %]Add[% ELSIF ( opduplicate ) %]Duplicate[% ELSE %] Modify[% END %] patron [% IF (firstname) %][% firstname | html %] [% END %][% IF (surname) %][% surname | html %] [% END %]([%IF ( categoryname ) %][% categoryname %][% ELSE %][% IF ( I ) %]Organization[% END %][% IF ( A ) %]Adult[% END %][% IF ( C ) %]Child[% END %][% IF ( P ) %]Professional[% END %][% IF ( S ) %]Staff[% END %][% END %])

    + [% IF ( check_member ) %]

    Duplicate patron record?

    @@ -245,7 +245,7 @@ $(document).ready(function() { - + [% IF ( mandatoryfirstname ) %]Required[% END %] [% END %] @@ -273,7 +273,7 @@ $(document).ready(function() { - + [% IF ( mandatoryinitials ) %]Required[% END %] [% END %] @@ -286,7 +286,7 @@ $(document).ready(function() { - + [% IF ( mandatoryothernames ) %]Required[% END %] [% IF ( I ) %][% END %] @@ -344,9 +344,9 @@ $(document).ready(function() { [% IF ( guarantorid ) %] [% contactname %] - + [% ELSE %] - + [% END %] [% ELSE %] @@ -363,9 +363,9 @@ $(document).ready(function() { [% IF ( guarantorid ) %] [% contactname %] - + [% ELSE %] - + [% END %] [% END %] @@ -374,9 +374,9 @@ $(document).ready(function() { [% IF ( guarantorid ) %] [% contactfirstname %] - + [% ELSE %] - + [% END %] [% END %] @@ -443,7 +443,7 @@ $(document).ready(function() { - + [% IF ( mandatoryphone ) %]Required[% END %]
    Shows on transit slips
    @@ -456,7 +456,7 @@ $(document).ready(function() { - + [% IF ( mandatoryphonepro ) %]Required[% END %] [% END %] @@ -468,7 +468,7 @@ $(document).ready(function() { - + [% IF ( mandatorymobile ) %]Required[% END %] [% END %] @@ -480,7 +480,7 @@ $(document).ready(function() { - + [% IF ( mandatoryemail ) %]Required[% END %]
    Shows on transit slips
    @@ -493,7 +493,7 @@ $(document).ready(function() { - + [% IF ( mandatoryemailpro ) %]Required[% END %] [% END %] @@ -505,7 +505,7 @@ $(document).ready(function() { - + [% IF ( mandatoryfax ) %]Required[% END %] [% END %] @@ -548,19 +548,19 @@ $(document).ready(function() { [% END %] Card number: [% IF minlength_cardnumber == maxlength_cardnumber %] - + [% IF ( mandatorycardnumber ) %]Required[% END %]
    Card number must be exactly [% minlength_cardnumber %] characters.
    [% ELSIF minlength_cardnumber && maxlength_cardnumber %] - + [% IF ( mandatorycardnumber ) %]Required[% END %]
    Card number must be between [% minlength_cardnumber %] and [% maxlength_cardnumber %] characters.
    [% ELSIF maxlength_cardnumber %] - + [% IF ( mandatorycardnumber ) %]Required[% END %]
    Card number can be up to [% maxlength_cardnumber %] characters.
    [% ELSE %] - + [% IF ( mandatorycardnumber ) %]Required[% END %]
    There is no minimum or maximum character length.
    [% END %] @@ -702,7 +702,7 @@ $(document).ready(function() { - +
    This message appears on this patron's user page in the OPAC
    [% IF ( mandatoryopacnote ) %]Required[% END %] @@ -715,7 +715,7 @@ $(document).ready(function() { - +
    This message displays when checking out to this patron
    [% IF ( mandatoryborrowernotes ) %]Required[% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt index 1cd17a69d1..d3006b816e 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt @@ -211,11 +211,11 @@ function validate1(date) { [% END %]

    [% UNLESS ( I ) %] - [% title %] [% firstname %] [% END %] [% surname %] ([% cardnumber %])

    + [% title | html %] [% firstname | html %] [% END %] [% surname | html %] ([% cardnumber | html %])
    - [% UNLESS ( I ) %][% IF ( othernames ) %]“[% othernames %]”[% END %] + [% UNLESS ( I ) %][% IF ( othernames ) %]“[% othernames | html %]”[% END %]
    [% IF Koha.Preference( 'AddressFormat' ) %] @@ -228,22 +228,22 @@ function validate1(date) {
      [% IF ( I ) %] - [% IF ( phonepro ) %]
    1. Organization phone: [% phonepro %]
      2. [% END %] - [% IF ( emailpro ) %][% END %] + [% IF ( phonepro ) %]
    2. Organization phone: [% phonepro | html %]
      3. [% END %] + [% IF ( emailpro ) %][% END %] [% ELSE %] - [% IF ( phone ) %]
    3. Primary phone: [% phone %]
      4. [% END %] - [% IF ( phonepro ) %]
    4. Secondary phone: [% phonepro %]
      5. [% END %] - [% IF ( mobile ) %]
    5. Other phone: [% mobile %]
      6. [% END %] + [% IF ( phone ) %]
    6. Primary phone: [% phone | html %]
      7. [% END %] + [% IF ( phonepro ) %]
    7. Secondary phone: [% phonepro | html %]
      8. [% END %] + [% IF ( mobile ) %]
    8. Other phone: [% mobile | html %]
      9. [% END %] [% END %] [% IF ( P ) %] - [% IF ( phone ) %]
    9. Primary phone: [% phone %]
      10. [% END %] - [% IF ( mobile ) %]
    10. Other phone: [% mobile %]
      11. [% END %] + [% IF ( phone ) %]
    11. Primary phone: [% phone | html %]
      12. [% END %] + [% IF ( mobile ) %]
    12. Other phone: [% mobile | html %]
      13. [% END %] [% END %] [% IF ( fax ) %]
    13. Fax: [% fax %]
      14. [% END %] [% UNLESS ( I ) %] - [% IF ( email ) %][% END %] - [% IF ( emailpro ) %][% END %] + [% IF ( email ) %][% END %] + [% IF ( emailpro ) %][% END %] [% END %] [% IF ( initials ) %]
    14. Initials: [% initials %]
      15. [% END %] [% IF ( dateofbirth ) %]
    15. Date of birth:[% dateofbirth | $KohaDates %] ([% age %] years)
      16. [% END %] @@ -255,7 +255,7 @@ function validate1(date) { Guarantees: @@ -263,9 +263,9 @@ function validate1(date) {
    16. Guarantor: [% IF guarantor.borrowernumber %] - [% guarantor.firstname %] [% guarantor.surname %] + [% guarantor.firstname | html %] [% guarantor.surname | html %] [% ELSE %] - [% guarantor.firstname %] [% guarantor.surname %] + [% guarantor.firstname | html %] [% guarantor.surname | html %] [% END %]
      17. [% END %] @@ -289,15 +289,15 @@ function validate1(date) {
      [% IF ( picture ) %] Manage patron image -
      To update the image for [% title %] [% surname %], select a new image file and click 'Upload.'
      Click the 'Delete' button to remove the current image. +
      To update the image for [% title | html %] [% surname | html %], select a new image file and click 'Upload.'
      Click the 'Delete' button to remove the current image. [% ELSE %] Upload patron image -
      [% title %] [% firstname %] [% surname %] does not currently have an image available. To import an image for [% title %] [% surname %], enter the name of an image file to upload. +
      [% title %] [% firstname | html %] [% surname | html %] does not currently have an image available. To import an image for [% title %] [% surname | html %], enter the name of an image file to upload. [% END %]
      Only PNG, GIF, JPEG, XPM formats are supported.
      - +
      1. @@ -443,15 +443,15 @@ function validate1(date) {

        Alternative contact

        -
        1. Surname: [% altcontactsurname %]
          2. -
        2. First name: [% altcontactfirstname %]
          3. -
        3. Address: [% altcontactaddress1 %]
          4. -
        4. Address 2: [% altcontactaddress2 %]
          5. -
        5. City: [% altcontactaddress3 %]
          6. - [% IF ( altcontactstate ) %]
        6. State: [% altcontactstate %]
          7. [% END %] -
        7. ZIP/Postal code: [% altcontactzipcode %]
          8. - [% IF ( altcontactcountry ) %]
        8. Country: [% altcontactcountry %]
          9. [% END %] - [% IF ( altcontactphone ) %]
        9. Phone: [% altcontactphone %]
          10. [% END %] +
          1. Surname: [% altcontactsurname | html %]
            2. +
          2. First name: [% altcontactfirstname | html %]
            3. +
          3. Address: [% altcontactaddress1 | html %]
            4. +
          4. Address 2: [% altcontactaddress2 | html %]
            5. +
          5. City: [% altcontactaddress3 | html %]
            6. + [% IF ( altcontactstate ) %]
          6. State: [% altcontactstate | html %]
            7. [% END %] +
          7. ZIP/Postal code: [% altcontactzipcode | html %]
            8. + [% IF ( altcontactcountry ) %]
          8. Country: [% altcontactcountry | html %]
            9. [% END %] + [% IF ( altcontactphone ) %]
          9. Phone: [% altcontactphone | html %]
            10. [% END %]
        Edit
        -- 2.39.5