Bug 17029: Fix XSS in catalogue/*detail.pl

Hit
  /cgi-bin/koha/catalogue/detail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/ISBDdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/MARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/moredetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/labeledMARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

diff --git a/catalogue/ISBDdetail.pl b/catalogue/ISBDdetail.pl
index 8c02f42..e705323 100755 (executable)
--- a/catalogue/ISBDdetail.pl
+++ b/catalogue/ISBDdetail.pl
@@ -36,6 +36,7 @@ This script needs a biblionumber as parameter
 use strict;
 #use warnings; FIXME - Bug 2505
 
+use HTML::Entities;
 use C4::Auth;
 use C4::Context;
 use C4::Output;
@@ -57,6 +58,7 @@ my $query = new CGI;
 my $dbh = C4::Context->dbh;
 
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 
 # open template
 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(

diff --git a/catalogue/MARCdetail.pl b/catalogue/MARCdetail.pl
index e8f6949..4cceaff 100755 (executable)
--- a/catalogue/MARCdetail.pl
+++ b/catalogue/MARCdetail.pl
@@ -45,11 +45,12 @@ the items attached to the biblio
 
 use strict;
 #use warnings; FIXME - Bug 2505
+use CGI qw ( -utf8 );
+use HTML::Entities;
 
 use C4::Auth;
 use C4::Context;
 use C4::Output;
-use CGI qw ( -utf8 );
 use C4::Koha;
 use MARC::Record;
 use C4::Biblio;
@@ -63,6 +64,7 @@ use C4::Search;               # enabled_staff_search_views
 my $query        = new CGI;
 my $dbh          = C4::Context->dbh;
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $frameworkcode = $query->param('frameworkcode');
 $frameworkcode = GetFrameworkCode( $biblionumber ) unless ($frameworkcode);
 my $popup        =

diff --git a/catalogue/detail.pl b/catalogue/detail.pl
index 7eb790c..8eead50 100755 (executable)
--- a/catalogue/detail.pl
+++ b/catalogue/detail.pl
@@ -20,6 +20,7 @@ use strict;
 use warnings;
 
 use CGI qw ( -utf8 );
+use HTML::Entities;
 use C4::Acquisition qw( GetHistory );
 use C4::Auth;
 use C4::Dates qw/format_date/;
@@ -60,6 +61,7 @@ my ( $template, $borrowernumber, $cookie, $flags ) = get_template_and_user(
 );
 
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $record       = GetMarcBiblio($biblionumber);
 
 if ( not defined $record ) {

diff --git a/catalogue/labeledMARCdetail.pl b/catalogue/labeledMARCdetail.pl
index c5366e1..a49a10a 100755 (executable)
--- a/catalogue/labeledMARCdetail.pl
+++ b/catalogue/labeledMARCdetail.pl
@@ -20,6 +20,7 @@
 use strict;
 use warnings;
 use CGI qw ( -utf8 ); 
+use HTML::Entities;
 use MARC::Record;
 use C4::Auth;
 use C4::Context;
@@ -34,6 +35,7 @@ use C4::Koha qw( GetFrameworksLoop );
 my $query        = new CGI;
 my $dbh          = C4::Context->dbh;
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $frameworkcode = $query->param('frameworkcode');
 $frameworkcode = GetFrameworkCode( $biblionumber ) unless ($frameworkcode);
 my $popup        =

diff --git a/catalogue/moredetail.pl b/catalogue/moredetail.pl
index 3736c13..3f5e781 100755 (executable)
--- a/catalogue/moredetail.pl
+++ b/catalogue/moredetail.pl
@@ -23,6 +23,7 @@ use strict;
 #use warnings; FIXME - Bug 2505
 use C4::Koha;
 use CGI qw ( -utf8 );
+use HTML::Entities;
 use C4::Biblio;
 use C4::Items;
 use C4::Branch;
@@ -72,6 +73,7 @@ my $hidepatronname = C4::Context->preference("HidePatronName");
 # get variables
 
 my $biblionumber=$query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $title=$query->param('title');
 my $bi=$query->param('bi');
 $bi = $biblionumber unless $bi;