Bug 17025: Fix XSS in serials-search.pl

Test plan:
Hit
  /serials/serials-search.pl?ISSN_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1
  /serials/serials-search.pl?title_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 1ea1504c30c5c34dd763027caee55dcf359e94cf)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit d432c5bba836601b809a9f807af05ef85e952453)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 422eeb01fe83e3e9166406cfb244e3053ad72bd6)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/serials-search.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/serials-search.inc
index beb309c..aec6825 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/serials-search.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/serials-search.inc
@@ -8,12 +8,12 @@
         <input type="hidden" name="routing" value="[% routing %]" />
       [% END %]
       <input type="hidden" name="searched" value="1" />
-      <label for="ISSN_filter">ISSN:</label> <input type="text" size="10" maxlength="11" name="ISSN_filter" id="ISSN_filter" value="[% ISSN_filter %]" />
+      <label for="ISSN_filter">ISSN:</label> <input type="text" size="10" maxlength="11" name="ISSN_filter" id="ISSN_filter" value="[% ISSN_filter | html %]" />
 
       [% IF (UNIMARC) %]
-        <label for="EAN_filter">EAN:</label> <input type="text" size="20" maxlength="40" name="EAN_filter" id="EAN_filter" value="[% EAN_filter %]" />
+        <label for="EAN_filter">EAN:</label> <input type="text" size="20" maxlength="40" name="EAN_filter" id="EAN_filter" value="[% EAN_filter | html %]" />
       [% END %]
-      <label for="title_filter">Title:</label> <input type="text" size="20" maxlength="40" name="title_filter" id="title_filter" value="[% title_filter %]" />
+      <label for="title_filter">Title:</label> <input type="text" size="20" maxlength="40" name="title_filter" id="title_filter" value="[% title_filter | html %]" />
       <input value="Submit" class="submit" type="submit" /> <a href="/cgi-bin/koha/serials/serials-search.pl">Advanced search</a>
     </form>
     </div>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/subscriptions-search.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/subscriptions-search.inc
index 4f6f1ca..50bb763 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/subscriptions-search.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/subscriptions-search.inc
@@ -6,25 +6,25 @@
             <ol>
               <li>
                 <label for="issn">ISSN:</label>
-                <input type="text" id="issn" name="ISSN_filter" value="[% ISSN_filter %]" />
+                <input type="text" id="issn" name="ISSN_filter" value="[% ISSN_filter | html %]" />
               </li>
               <li>
                 <label for="title">Title:</label>
-                <input type="text" id="title" name="title_filter" value="[% title_filter %]" />
+                <input type="text" id="title" name="title_filter" value="[% title_filter | html %]" />
               </li>
               [% IF Koha.Preference( 'marcflavour' ) == "UNIMARC" %]
               <li>
                 <label for="ean">EAN:</label>
-                <input type="text" id="ean" name="EAN_filter" value="[% EAN_filter %]" />
+                <input type="text" id="ean" name="EAN_filter" value="[% EAN_filter | html %]" />
               </li>
               [% END %]
               <li>
                 <label for="publisher">Publisher:</label>
-                <input type="text" id="publisher" name="publisher_filter" value="[% publisher_filter %]" />
+                <input type="text" id="publisher" name="publisher_filter" value="[% publisher_filter | html %]" />
               </li>
               <li>
                 <label for="supplier">Vendor:</label>
-                <input type="text" id="supplier" name="supplier_filter" value="[% supplier_filter %]" />
+                <input type="text" id="supplier" name="supplier_filter" value="[% supplier_filter | html %]" />
               </li>
               <li>
                 <label for="branch">Library:</label>
@@ -42,10 +42,10 @@
             </ol>
             <input type="hidden" name="searched" value="1" />
             [% IF (booksellerid) %]
-                <input type="hidden" name="booksellerid" value="[% booksellerid %]" />
+                <input type="hidden" name="booksellerid" value="[% booksellerid | html %]" />
             [% END %]
             [% IF (basketno) %]
-                <input type="hidden" name="basketno" value="[% basketno %]" />
+                <input type="hidden" name="basketno" value="[% basketno | html %]" />
             [% END %]
             <fieldset class="action">
               <input type="submit" value="Search" />