Bug 11322: fix XSS bug in purchase suggestions - OPAC

1/ Add a suggestion in the opac, with lots of html
2/ View that suggestion in the OPAC, note the html is rendering
3/ Apply the patch
4/ Test again, in prog and bootstrap, no more rendered html

Signed-off-by: David Cook <dcook@prosentient.com.au>

Works as described.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt
index 0d87eff..bb7c1ea 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt
@@ -164,18 +164,18 @@
                                                     [% END %]
                                                     <td>
                                                         <p><strong>[% suggestions_loo.title |html %]</strong></p>
-                                                            <p>[% IF ( suggestions_loo.author ) %][% suggestions_loo.author %],[% END %]
-                                                                [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate %],[% END %]
-                                                                [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode %][% END %]
-                                                                [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place %])[% END %]
-                                                                [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle %][% END %]
+                                                            <p>[% IF ( suggestions_loo.author ) %][% suggestions_loo.author |html %],[% END %]
+                                                                [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate |html %],[% END %]
+                                                                [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode |html %][% END %]
+                                                                [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place |html %])[% END %]
+                                                                [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle |html %][% END %]
                                                                 [% IF ( suggestions_loo.itemtype ) %] - [% suggestions_loo.itemtype %][% END %]
                                                         </p>
                                                     </td>
                                                     <td>
                                                         [% IF ( suggestions_loo.note ) %]
                                                             <span class="tdlabel">Note: </span>
-                                                            [% suggestions_loo.note %]
+                                                            [% suggestions_loo.note |html %]
                                                         [% END %]
                                                     </td>
                                                     [% IF Koha.Preference( 'OPACViewOthersSuggestions' ) == 1 %]

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt
index 0fcd5e2..6313259 100644 (file)
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt
@@ -189,16 +189,16 @@
                 </td>[% END %]
                 <td>
                     <p><strong>[% suggestions_loo.title |html %]</strong></p>
-                    <p>[% IF ( suggestions_loo.author ) %][% suggestions_loo.author %],[% END %]
-                        [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate %],[% END %] 
-                        [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode %][% END %]
-                        [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place %])[% END %]
-                        [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle %][% END %]
+                    <p>[% IF ( suggestions_loo.author ) %][% suggestions_loo.author |html %],[% END %]
+                        [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate |html %],[% END %]
+                        [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode |html %][% END %]
+                        [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place |html %])[% END %]
+                        [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle |html%][% END %]
                         [% IF ( suggestions_loo.itemtype ) %] - [% suggestions_loo.itemtype %][% END %]
                     </p>
                 </td>
                 <td>
-                    [% suggestions_loo.note %]
+                    [% suggestions_loo.note |html %]
                 </td>
                 [% IF ( OPACViewOthersSuggestions ) %]<td>
                     [% IF ( suggestions_loo.branchcodesuggestedby ) %][% suggestions_loo.branchcodesuggestedby %][% ELSE %]&nbsp;[% END %]
@@ -215,7 +215,7 @@
                     [% ELSIF ( suggestions_loo.AVAILABLE ) %]Available in the library
                     [% ELSE %] [% KohaAuthorisedValues.GetByCode( 'SUGGEST_STATUS', suggestions_loo.STATUS, 1 ) %] [% END %]
 
-                    [% IF ( suggestions_loo.reason ) %]([% suggestions_loo.reason %])[% END %]
+                    [% IF ( suggestions_loo.reason ) %]([% suggestions_loo.reason |html %])[% END %]
                 </td>
             </tr>
         [% END %]