Bug 17023: Fix XSS in cataloguing/z3950_search.pl

Test plan:
Enter the following in the different inputs:
<script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/z3950_search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/z3950_search.tt
index 4272f84..32bbb48 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/z3950_search.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/z3950_search.tt
@@ -8,7 +8,7 @@
 <script type="text/javascript">
 //<![CDATA[
 function Import(GetThisOne,biblionumber) {
-    opener.document.location="../cataloguing/addbiblio.pl?biblionumber="+biblionumber+"&z3950=1&frameworkcode=[% frameworkcode %]&breedingid="+GetThisOne;
+    opener.document.location="../cataloguing/addbiblio.pl?biblionumber="+biblionumber+"&z3950=1&frameworkcode=[% frameworkcode | url %]&breedingid="+GetThisOne;
     window.close();
     return false;
 }
@@ -112,10 +112,10 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
     <div class="yui-u first">
            <fieldset class="rows"> 
         <ol>
-        <li><label for="isbn">ISBN: </label> <input type="text" id="isbn" name="isbn" value="[% isbn %]" /></li>
-        <li><label for="issn">ISSN: </label> <input type="text" id="issn" name="issn" value="[% issn %]" /></li>
+        <li><label for="isbn">ISBN: </label> <input type="text" id="isbn" name="isbn" value="[% isbn | html %]" /></li>
+        <li><label for="issn">ISSN: </label> <input type="text" id="issn" name="issn" value="[% issn | html %]" /></li>
         <li><label for="title">Title: </label> <input type="text" id="title"  name="title" value="[% title |html %]" /></li>
-        <li><label for="author">Author: </label> <input type="text" id="author" name="author" value="[% author %]" /></li>
+        <li><label for="author">Author: </label> <input type="text" id="author" name="author" value="[% author | html %]" /></li>
         <li><label for="subject">Subject heading: </label> <input type="text" id="subject" name="subject" value="" /></li>
         <li><label for="srchany">Keyword (any): </label> <input type="text" id="srchany" name="srchany" value="" /></li>
         <li><label for="lccall">LC call number: </label> <input type="text" id="lccall" name="lccall" value="" /></li>
@@ -124,8 +124,8 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
         <li><label for="stdid">Standard ID: </label> <input type="text" id="stdid" name="stdid" value="" /></li>
         </ol>
     <p><a id="resetZ3950Search" href="#">Clear search form</a></p>
-    <input type="hidden" name="biblionumber" value="[% biblionumber %]" />
-    <input type="hidden" name="frameworkcode" value="[% frameworkcode %]" />
+    <input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
+    <input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]" />
     </div>
     <div class="yui-g">
       <h2>Search targets <span style="display: inline; font-size: 70%; padding-left: 1em;"><span class="checkall"><a id="CheckAll" href="#">Select all</a></span><span class="clearall"><a id="CheckNone" href="#">Clear all</a></span></span></h2>
@@ -150,16 +150,16 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
 [% ELSE %]
     <h2>Results</h2>
     <p>You searched for:
-        [% IF ( title ) %]<em>Title: </em><span class=term>[% title %]</span> [% END %]
-        [% IF ( author ) %]<em>Author: </em><span class=term>[% author %]</span> [% END %]
-        [% IF ( isbn ) %]<em>ISBN: </em><span class=term>[% isbn %]</span> [% END %]
-        [% IF ( issn ) %]<em>ISSN: </em><span class=term>[% issn %]</span> [% END %]
-        [% IF ( lccall ) %]<em>LC call number: </em><span class=term>[% lccall %]</span> [% END %]
-        [% IF ( subject ) %]<em>Subject heading: </em><span class=term>[% subject %]</span> [% END %]
-        [% IF ( controlnumber ) %]<em>Control no: </em><span class=term>[% controlnumber %]</span> [% END %]
-        [% IF ( dewey ) %]<em>Dewey: </em><span class=term>[% dewey %]</span> [%END %]
-        [% IF ( srchany ) %]<em>Raw (any): </em><span class=term>[% srchany %]</span> [% END %]
-        [% IF ( stdid ) %]<em>Standard ID: </em><span class=term>[% stdid %]</span> [% END %]
+        [% IF ( title ) %]<em>Title: </em><span class=term>[% title | html %]</span> [% END %]
+        [% IF ( author ) %]<em>Author: </em><span class=term>[% author | html %]</span> [% END %]
+        [% IF ( isbn ) %]<em>ISBN: </em><span class=term>[% isbn | html %]</span> [% END %]
+        [% IF ( issn ) %]<em>ISSN: </em><span class=term>[% issn | html %]</span> [% END %]
+        [% IF ( lccall ) %]<em>LC call number: </em><span class=term>[% lccall | html %]</span> [% END %]
+        [% IF ( subject ) %]<em>Subject heading: </em><span class=term>[% subject | html %]</span> [% END %]
+        [% IF ( controlnumber ) %]<em>Control no: </em><span class=term>[% controlnumber | html %]</span> [% END %]
+        [% IF ( dewey ) %]<em>Dewey: </em><span class=term>[% dewey | html %]</span> [%END %]
+        [% IF ( srchany ) %]<em>Raw (any): </em><span class=term>[% srchany | html %]</span> [% END %]
+        [% IF ( stdid ) %]<em>Standard ID: </em><span class=term>[% stdid | html %]</span> [% END %]
     </p>
     [% IF ( errconn ) %]
             <div class="dialog alert">
@@ -211,17 +211,17 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
     <form method="post" action="z3950_search.pl" id="page_form" name="page_form" class="checkboxed">
         <input type="hidden" name="op" id="op" value="do_search" />
         <input type="hidden" name="current_page" id="current_page" value="[% current_page %]" />
-        <input type="hidden" id="title"  name="title" value="[% title %]" />
-        <input type="hidden" id="isbn" name="isbn" value="[% isbn %]" />
-        <input type="hidden" id="lccall" name="lccall" value="[% lccall %]" />
-        <input type="hidden" id="controlnumber" name="controlnumber" value="[% controlnumber %]" />
-        <input type="hidden" id="srchany" name="srchany" value="[% srchany %]" />
-        <input type="hidden" id="author" name="author" value="[% author %]" />
-        <input type="hidden" id="subject" name="subject" value="[% subject %]" />
-        <input type="hidden" id="dewey" name="dewey" value="[% dewey %]" />
-        <input type="hidden" id="stdid" name="stdid" value="[% stdid %]" />
-        <input type="hidden" name="biblionumber" value="[% biblionumber %]" />
-        <input type="hidden" name="frameworkcode" value="[% frameworkcode %]" />
+        <input type="hidden" id="title"  name="title" value="[% title | html %]" />
+        <input type="hidden" id="isbn" name="isbn" value="[% isbn | html %]" />
+        <input type="hidden" id="lccall" name="lccall" value="[% lccall | html %]" />
+        <input type="hidden" id="controlnumber" name="controlnumber" value="[% controlnumber | html %]" />
+        <input type="hidden" id="srchany" name="srchany" value="[% srchany | html %]" />
+        <input type="hidden" id="author" name="author" value="[% author | html %]" />
+        <input type="hidden" id="subject" name="subject" value="[% subject | html %]" />
+        <input type="hidden" id="dewey" name="dewey" value="[% dewey | html %]" />
+        <input type="hidden" id="stdid" name="stdid" value="[% stdid | html %]" />
+        <input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
+        <input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]" />
 
         [% FOREACH server IN servers %]
         <input type="hidden" name="id" id="z3950_[% server.id %]" value="[% server.id %]" />
@@ -240,7 +240,7 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
     [% ELSE %]
         <div class="dialog message">Nothing found.</div>
     [% END %]
-<p><form method="get" action="/cgi-bin/koha/cataloguing/z3950_search.pl"><input type="hidden" name="biblionumber" value="[% biblionumber %]"/><input type="hidden" name="frameworkcode" value="[% frameworkcode %]"/><input type="submit" value="Try another search"/></form></p>
+<p><form method="get" action="/cgi-bin/koha/cataloguing/z3950_search.pl"><input type="hidden" name="biblionumber" value="[% biblionumber | html %]"/><input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]"/><input type="submit" value="Try another search"/></form></p>
 
 [% END %]