Bug 17023: Fix XSS in cataloguing/z3950_search.pl

Test plan:
Enter the following in the different inputs:
<script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/z3950_search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/z3950_search.tt
index f20a49d..c7bc15a 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/z3950_search.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/z3950_search.tt
@@ -70,10 +70,10 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
     <div class="yui-u first">
            <fieldset class="rows"> 
         <ol>
-        <li><label for="isbn">ISBN: </label> <input type="text" id="isbn" name="isbn" value="[% isbn %]" /></li>
-        <li><label for="issn">ISSN: </label> <input type="text" id="issn" name="issn" value="[% issn %]" /></li>
+        <li><label for="isbn">ISBN: </label> <input type="text" id="isbn" name="isbn" value="[% isbn | html %]" /></li>
+        <li><label for="issn">ISSN: </label> <input type="text" id="issn" name="issn" value="[% issn | html %]" /></li>
         <li><label for="title">Title: </label> <input type="text" id="title"  name="title" value="[% title |html %]" /></li>
-        <li><label for="author">Author: </label> <input type="text" id="author" name="author" value="[% author %]" /></li>
+        <li><label for="author">Author: </label> <input type="text" id="author" name="author" value="[% author | html %]" /></li>
         <li><label for="subject">Subject heading: </label> <input type="text" id="subject" name="subject" value="" /></li>
         <li><label for="srchany">Keyword (any): </label> <input type="text" id="srchany" name="srchany" value="" /></li>
         <li><label for="lccall">LC call number: </label> <input type="text" id="lccall" name="lccall" value="" /></li>
@@ -82,8 +82,8 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
         <li><label for="stdid">Standard ID: </label> <input type="text" id="stdid" name="stdid" value="" /></li>
         <li><a id="resetZ3950Search" href="#"><i class="fa fa-trash"></i> Clear search form</a></li>
         </ol>
-    <input type="hidden" name="biblionumber" value="[% biblionumber %]" />
-    <input type="hidden" name="frameworkcode" value="[% frameworkcode %]" />
+    <input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
+    <input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]" />
     </div>
     <div class="yui-g">
       <h2>Search targets <span style="display: inline; font-size: 70%; padding-left: 1em;"><span class="checkall"><a id="CheckAll" href="#"><i class="fa fa-check"></i> Select all</a></span> | <span class="clearall"><a id="CheckNone" href="#"><i class="fa fa-remove"></i> Clear all</a></span></span></h2>
@@ -108,16 +108,16 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
 [% ELSE %]
     <h2>Results</h2>
     <p>You searched for:
-        [% IF ( title ) %]<em>Title: </em><span class=term>[% title %]</span> [% END %]
-        [% IF ( author ) %]<em>Author: </em><span class=term>[% author %]</span> [% END %]
-        [% IF ( isbn ) %]<em>ISBN: </em><span class=term>[% isbn %]</span> [% END %]
-        [% IF ( issn ) %]<em>ISSN: </em><span class=term>[% issn %]</span> [% END %]
-        [% IF ( lccall ) %]<em>LC call number: </em><span class=term>[% lccall %]</span> [% END %]
-        [% IF ( subject ) %]<em>Subject heading: </em><span class=term>[% subject %]</span> [% END %]
-        [% IF ( controlnumber ) %]<em>Control no: </em><span class=term>[% controlnumber %]</span> [% END %]
-        [% IF ( dewey ) %]<em>Dewey: </em><span class=term>[% dewey %]</span> [%END %]
-        [% IF ( srchany ) %]<em>Raw (any): </em><span class=term>[% srchany %]</span> [% END %]
-        [% IF ( stdid ) %]<em>Standard ID: </em><span class=term>[% stdid %]</span> [% END %]
+        [% IF ( title ) %]<em>Title: </em><span class=term>[% title | html %]</span> [% END %]
+        [% IF ( author ) %]<em>Author: </em><span class=term>[% author | html %]</span> [% END %]
+        [% IF ( isbn ) %]<em>ISBN: </em><span class=term>[% isbn | html %]</span> [% END %]
+        [% IF ( issn ) %]<em>ISSN: </em><span class=term>[% issn | html %]</span> [% END %]
+        [% IF ( lccall ) %]<em>LC call number: </em><span class=term>[% lccall | html %]</span> [% END %]
+        [% IF ( subject ) %]<em>Subject heading: </em><span class=term>[% subject | html %]</span> [% END %]
+        [% IF ( controlnumber ) %]<em>Control no: </em><span class=term>[% controlnumber | html %]</span> [% END %]
+        [% IF ( dewey ) %]<em>Dewey: </em><span class=term>[% dewey | html %]</span> [%END %]
+        [% IF ( srchany ) %]<em>Raw (any): </em><span class=term>[% srchany | html %]</span> [% END %]
+        [% IF ( stdid ) %]<em>Standard ID: </em><span class=term>[% stdid | html %]</span> [% END %]
     </p>
     [% IF ( errconn ) %]
             <div class="dialog alert">
@@ -151,7 +151,7 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
         [% IF ( breeding_loo.breedingid ) %]
 
            <tr id="row[% breeding_loo.breedingid %]">
-            <td>[% breeding_loo.server %] <div class="linktools"><a href="/cgi-bin/koha/catalogue/showmarc.pl?importid=[% breeding_loo.breedingid %]" class="previewData">Preview MARC</a> <a href="/cgi-bin/koha/catalogue/showmarc.pl?viewas=card&amp;importid=[% breeding_loo.breedingid %]" class="previewData">Preview card</a> <a href="#" class="import_record" data-breedingid="[% breeding_loo.breedingid %]" data-biblionumber="[% breeding_loo.biblionumber %]" data-frameworkcode="[% frameworkcode %]">Import</a><a href="#" id="close_menu" title="Close this menu"> X </a></div> </td>
+            <td>[% breeding_loo.server %] <div class="linktools"><a href="/cgi-bin/koha/catalogue/showmarc.pl?importid=[% breeding_loo.breedingid %]" class="previewData">Preview MARC</a> <a href="/cgi-bin/koha/catalogue/showmarc.pl?viewas=card&amp;importid=[% breeding_loo.breedingid %]" class="previewData">Preview card</a> <a href="#" class="import_record" data-breedingid="[% breeding_loo.breedingid %]" data-biblionumber="[% breeding_loo.biblionumber %]" data-frameworkcode="[% frameworkcode | uri %]">Import</a><a href="#" id="close_menu" title="Close this menu"> X </a></div> </td>
             <td>[% breeding_loo.title |html %]</td>
             <td>[% breeding_loo.author %]</td>
             <td>[% breeding_loo.date %]</td>
@@ -160,7 +160,7 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
             <td>[% breeding_loo.lccn %]</td>
             <td><a href="/cgi-bin/koha/catalogue/showmarc.pl?importid=[% breeding_loo.breedingid %]" class="previewData">MARC</a></td>
             <td><a href="/cgi-bin/koha/catalogue/showmarc.pl?viewas=card&amp;importid=[% breeding_loo.breedingid %]" class="previewData">Card</a></td>
-            <td><a href="#" class="import_record" data-breedingid="[% breeding_loo.breedingid %]" data-biblionumber="[% breeding_loo.biblionumber %]" data-frameworkcode="[% frameworkcode %]">Import</a></td>
+            <td><a href="#" class="import_record" data-breedingid="[% breeding_loo.breedingid %]" data-biblionumber="[% breeding_loo.biblionumber %]" data-frameworkcode="[% frameworkcode | uri %]">Import</a></td>
         </tr>
         [% END %]
     [% END %]</tbody>
@@ -181,17 +181,17 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
     <form method="post" action="z3950_search.pl" id="page_form" name="page_form" class="checkboxed">
         <input type="hidden" name="op" id="op" value="do_search" />
         <input type="hidden" name="current_page" id="current_page" value="[% current_page %]" />
-        <input type="hidden" id="title"  name="title" value="[% title %]" />
-        <input type="hidden" id="isbn" name="isbn" value="[% isbn %]" />
-        <input type="hidden" id="lccall" name="lccall" value="[% lccall %]" />
-        <input type="hidden" id="controlnumber" name="controlnumber" value="[% controlnumber %]" />
-        <input type="hidden" id="srchany" name="srchany" value="[% srchany %]" />
-        <input type="hidden" id="author" name="author" value="[% author %]" />
-        <input type="hidden" id="subject" name="subject" value="[% subject %]" />
-        <input type="hidden" id="dewey" name="dewey" value="[% dewey %]" />
-        <input type="hidden" id="stdid" name="stdid" value="[% stdid %]" />
-        <input type="hidden" name="biblionumber" value="[% biblionumber %]" />
-        <input type="hidden" name="frameworkcode" value="[% frameworkcode %]" />
+        <input type="hidden" id="title"  name="title" value="[% title | html %]" />
+        <input type="hidden" id="isbn" name="isbn" value="[% isbn | html %]" />
+        <input type="hidden" id="lccall" name="lccall" value="[% lccall | html %]" />
+        <input type="hidden" id="controlnumber" name="controlnumber" value="[% controlnumber | html %]" />
+        <input type="hidden" id="srchany" name="srchany" value="[% srchany | html %]" />
+        <input type="hidden" id="author" name="author" value="[% author | html %]" />
+        <input type="hidden" id="subject" name="subject" value="[% subject | html %]" />
+        <input type="hidden" id="dewey" name="dewey" value="[% dewey | html %]" />
+        <input type="hidden" id="stdid" name="stdid" value="[% stdid | html %]" />
+        <input type="hidden" name="biblionumber" value="[% biblionumber | html %]" />
+        <input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]" />
 
         [% FOREACH server IN servers %]
         <input type="hidden" name="id" id="z3950_[% server.id %]" value="[% server.id %]" />
@@ -210,7 +210,7 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
     [% ELSE %]
         <div class="dialog message">Nothing found.</div>
     [% END %]
-<p><form method="get" action="/cgi-bin/koha/cataloguing/z3950_search.pl"><input type="hidden" name="biblionumber" value="[% biblionumber %]"/><input type="hidden" name="frameworkcode" value="[% frameworkcode %]"/><input type="submit" value="Try another search"/></form></p>
+<p><form method="get" action="/cgi-bin/koha/cataloguing/z3950_search.pl"><input type="hidden" name="biblionumber" value="[% biblionumber | html %]"/><input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]"/><input type="submit" value="Try another search"/></form></p>
 
 [% END %]