Bug 24412: (follow-up) prevent js injection

Some js variables are not properly escaped and can be executed if
containing javascript.

1. have some waiting reserve attached to a desk
2. change this desk name to : <script>alert("❤");</script>
3. go to user's checkout page (circulation.pl) and click on the
Hold(s) tab
4. you should see some popup with a ❤ in it.
5. apply patch and refresh page
6. now you should see the desk name printed properly in the page:
<script>alert("❤");</script>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/js/holds.js b/koha-tmpl/intranet-tmpl/prog/js/holds.js
index be94430..29a0489 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/js/holds.js
+++ b/koha-tmpl/intranet-tmpl/prog/js/holds.js
@@ -162,13 +162,13 @@ $(document).ready(function() {
                                     if ( oObj.waiting_here ) {
                                         data += __("Item is <strong>waiting here</strong>");
                                         if (oObj.desk_name) {
-                                            data += ", " + __("at %s").format(oObj.desk_name);
+                                            data += ", " + __("at %s").format(oObj.desk_name.escapeHtml());
                                         }
                                     } else {
                                         data += __("Item is <strong>waiting</strong>");
                                         data += " " + __("at %s").format(oObj.waiting_at);
                                         if (oObj.desk_name) {
-                                            data += ", " + __("at %s").format(oObj.desk_name);
+                                            data += ", " + __("at %s").format(oObj.desk_name.escapeHtml());
                                         }
 
                                     }