projects / srvgit / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bd87a31)
Bug 26102: Prevent XSS when To.json is used: authorities/blinddetail-biblio-search.tt
authorOwen Leonard <oleonard@myacpl.org>
Tue, 11 Aug 2020 12:41:13 +0000 (12:41 +0000)
committerFridolin Somers <fridolin.somers@biblibre.com>
Thu, 3 Feb 2022 07:05:29 +0000 (21:05 -1000)
Test the process of searching for and selecting an authority record for
use in the basic MARC editor.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt patch | blob | history

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt
index 1aff010..6a10d7d 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt
@@ -30,11 +30,11 @@
                 [% IF ( clear ) %]
                     var new_line = "";
                 [% ELSE %]
-                    var new_line = "
+                var new_line = "
                     [%- FOREACH SUBFIELD_LOO IN SUBFIELD_LOOP -%]‡
-                        [%- To.json( SUBFIELD_LOO.marc_subfield ) | $raw -%]
+                        [%- To.json( SUBFIELD_LOO.marc_subfield ) | html -%]
                         [%- FOREACH marc_value IN SUBFIELD_LOO.marc_values -%]
-                            [%- To.json( marc_value ) | $raw -%]
+                            [%- To.json( marc_value ) | html -%]
                         [%- END -%]
                     [%- END -%]‡9[% authid | html %]";
                 [% END %]
KOHA@FFZG based on git://git.koha.org/pub/scm/koha.git