Bug 19112 - Stored XSS in basketheader.pl page

To Test

1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.

Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
index f1aa115..aea00a3 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
@@ -367,8 +367,8 @@
                 <div class="rows">
                 <div class="yui-u first">
                 <ol>
-                [% IF ( basketnote ) %]<li><span class="label">Internal note:</span> [% basketnote %]</li>[% END %]
-                [% IF ( basketbooksellernote ) %]<li><span class="label">Vendor note:</span> [% basketbooksellernote %]</li>[% END %]
+                [% IF ( basketnote ) %]<li><span class="label">Internal note:</span> [% basketnote |html %]</li>[% END %]
+                [% IF ( basketbooksellernote ) %]<li><span class="label">Vendor note:</span> [% basketbooksellernote |html %]</li>[% END %]
                 [% IF ( basketcontractno ) %]
                     <li><span class="label">Contract name:</span> <a href="../admin/aqcontract.pl?op=add_form&amp;contractnumber=[% basketcontractno %]&amp;booksellerid=[% booksellerid %]">[% basketcontractname %]</a></li>
                 [% END %]

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
index 5cc8cc7..b3be241 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
@@ -19,7 +19,7 @@
     <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo;
     <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% booksellername %]</a> &rsaquo;
     [% IF ( add_form ) %]
-        [% IF ( basketno ) %]Edit basket '[% basketname %]'
+        [% IF ( basketno ) %]Edit basket '[% basketname |html %]'
         [% ELSE %]Add a basket to [% booksellername %]
         [% END %]
     [% END %]
@@ -32,7 +32,7 @@
 
     [% IF ( add_form ) %]
         [% IF ( basketno ) %]
-            <h1>Edit basket [% basketname %]</h1>
+            <h1>Edit basket [% basketname |html %]</h1>
         [% ELSE %]<h1>Add a basket to [% booksellername %]</h1>
         [% END %]
     <form name="Aform" action="[% script_name %]" method="post" class="validated">
@@ -78,11 +78,11 @@
                 </li>
                 <li>
                     <label for="basketnote">Internal note: </label> &nbsp;
-                    <textarea name="basketnote" id="basketnote" rows="5" cols="40">[% basketnote %]</textarea>
+                    <textarea name="basketnote" id="basketnote" rows="5" cols="40">[% basketnote |html %]</textarea>
                 </li>
                 <li>
                     <label for="basketbooksellernote">Vendor note: </label> &nbsp;
-                    <textarea name="basketbooksellernote" id="basketbooksellernote" rows="5" cols="40">[% basketbooksellernote %]</textarea>
+                    <textarea name="basketbooksellernote" id="basketbooksellernote" rows="5" cols="40">[% basketbooksellernote |html %]</textarea>
                 </li>
                 [% IF ( contractloop ) %]
                     <li><label for="basketcontractnumber">Contract: </label>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
index e9f44dc..e8acf39 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
@@ -142,7 +142,7 @@ $(document).ready(function() {
                                         <tr>
                                     [% END %]
                                         <td>[% basket.basketno %]</td>
-                                        <td>[% basket.basketname %]</td>
+                                        <td>[% basket.basketname |html %]</td>
                                         <td>
                                             <span title="[% basket.total_items %]">[% basket.total_items %]
                                                 [% IF basket.total_items_cancelled %]