From f7b12a1cf3da62d8ed884692b4161dca1d456bfe Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 14 Mar 2019 19:42:50 -0300 Subject: [PATCH] Bug 22478: Prevent XSS vulnerabilities when pagination appears This is a bad one as we thought we were XSS safe since bug 13618. The html code generated in C4::Output::pagination_bar must escape the variables and values correctly. This patch needs to be widely tested, everywhere the pagination appears, to make sure we will not introduce regressions. Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Martin Renvoize (cherry picked from commit d4d1107afa873614ace241557e424de0dcbad20a) Signed-off-by: Lucas Gass --- C4/Output.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/C4/Output.pm b/C4/Output.pm index 71f82e8a87..e8a86cc5ed 100644 --- a/C4/Output.pm +++ b/C4/Output.pm @@ -29,6 +29,7 @@ use strict; #use warnings; FIXME - Bug 2505 use URI::Escape; +use Scalar::Util qw( looks_like_number ); use C4::Context; use C4::Templates; @@ -89,6 +90,9 @@ sub pagination_bar { my $startfrom_name = (@_) ? shift : 'page'; my $additional_parameters = shift || {}; + $current_page = looks_like_number($current_page) ? $current_page : undef; + $nb_pages = looks_like_number($nb_pages) ? $nb_pages : undef; + # how many pages to show before and after the current page? my $pages_around = 2; @@ -106,7 +110,7 @@ sub pagination_bar { my $url = $base_url . (($base_url =~ m/$delim/ or $base_url =~ m/\?/) ? '&' : '?' ) . $startfrom_name . '='; my $url_suffix; while ( my ( $k, $v ) = each %$additional_parameters ) { - $url_suffix .= '&' . $k . '=' . $v; + $url_suffix .= '&' . URI::Escape::uri_escape_utf8($k) . '=' . URI::Escape::uri_escape_utf8($v); } my $pagination_bar = ''; -- 2.39.5