Bug 14423 : XSS in authorities-home

To test:
1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice you get 3 alert boxes
3/ Apply patch
4/ Hit the url again, no js

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 4b5a87c7ec62cfb796ea7c24aec8a61039e25f5c)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/authorities-search.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/authorities-search.inc
index cbdc939..433c927 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/authorities-search.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/authorities-search.inc
@@ -58,7 +58,7 @@
             <option value="is">is exactly</option>
             [% END %]
         </select>
-        <input id="value_mainentry" type="text" name="value" value="[% value %]" />
+        <input id="value_mainentry" type="text" name="value" value="[% value | html%]" />
         <select name="orderby">
             [% IF ( orderby == 'HeadingAsc' ) %]
             <option value="HeadingAsc" selected="selected">Heading A-Z</option>
@@ -112,7 +112,7 @@
             <option value="is">is exactly</option>
             [% END %]
         </select>
-        <input id="value_matchheading" type="text" name="value" value="[% value %]" />
+        <input id="value_matchheading" type="text" name="value" value="[% value | html %]" />
         <select name="orderby">
             [% IF ( orderby == 'HeadingAsc' ) %]
             <option value="HeadingAsc" selected="selected">Heading A-Z</option>
@@ -168,7 +168,7 @@
             <option value="is">is exactly</option>
             [% END %]
         </select>
-        <input id="value_anywhere" type="text" name="value" value="[% value %]" />
+        <input id="value_anywhere" type="text" name="value" value="[% value | html %]" />
         <select name="orderby">
             [% IF ( orderby == 'HeadingAsc' ) %]
             <option value="HeadingAsc" selected="selected">Heading A-Z</option>