kohabug 2026 - HTML-escape comments

This is a partial, perhaps temporary fix.  "<", ">",
and "&" characters in patron comments (AKA reviews)
are converted to "&lt;", "&gt;", and "&amp;" to avoid
certain attacks, e.g., a user entering a <script> tag
in a comment.

A more permanent fix should scrub all (or perhaps just
unsafe) tags from submitted comments entirely.

Signed-off-by: Joshua Ferraro <jmf@liblime.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
index 0350135..8fbcd88 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
@@ -58,7 +58,7 @@ $.tablesorter.addParser({
             <a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber" -->"><!-- TMPL_VAR NAME="bibliotitle" --></a>
         </td>
         <td>
-            <!-- TMPL_VAR NAME="review" -->
+            <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
         </td>
         <td>
             <a href="/cgi-bin/koha/reviews/reviewswaiting.pl?op=approve&amp;reviewid=<!-- TMPL_VAR NAME="reviewid" -->">Approve</a> |

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
index 1e36185..f892b4a 100644 (file)
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
@@ -129,7 +129,7 @@
                 <!--TMPL_VAR NAME="datereviewed"-->
             </small>
         <p>
-          <!--TMPL_VAR NAME="review"-->
+          <!--TMPL_VAR NAME="review" ESCAPE="HTML"-->
         </p>
         <!--/TMPL_LOOP-->
     <!-- TMPL_ELSE  -->
@@ -185,4 +185,4 @@
 </div>
        <!-- TMPL_IF NAME="OpacNav" --><div class="yui-b"><!--TMPL_INCLUDE NAME="navigation.inc" --></div><!-- /TMPL_IF -->
 </div>
-<!-- TMPL_INCLUDE NAME="opac-bottom.inc" -->
\ No newline at end of file
+<!-- TMPL_INCLUDE NAME="opac-bottom.inc" -->

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
index e3e0ed5..6afef41 100755 (executable)
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
@@ -419,7 +419,7 @@
                        </h5>
                        <small><!-- TMPL_VAR NAME="datereviewed" --></small>
         <p>
-          <!-- TMPL_VAR NAME="review" -->
+          <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
                  <a href="#" onclick="Dopop('/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&amp;reviewid=<!-- TMPL_VAR NAME="reviewid" -->');">Edit</a>
         </p></div>
                        <!-- TMPL_ELSE -->
@@ -432,7 +432,7 @@
             </h5>
                        <small><!-- TMPL_VAR NAME="datereviewed" --></small>
         <p>
-          <!-- TMPL_VAR NAME="review" -->
+          <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
         </p></div>
                        <!-- /TMPL_IF -->
         <!-- /TMPL_LOOP -->

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
index 146d60b..4528d71 100644 (file)
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
@@ -24,13 +24,13 @@
                $('#reviewf').submit( function() {
                        <!-- TMPL_IF NAME="reviewid" -->
                        parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').prev("small").prev("h5").html("Your Edited Comment (preview, pending approval)");
-                       parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').html($("#review").val());
+                       parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').html($("#review").val().replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'));
                        parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').append(" <a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&amp;reviewid=<!-- TMPL_VAR NAME="reviewid" -->\');\">Edit</a>");
                        window.close();
                        <!-- TMPL_ELSE -->
                        parent.opener.$('#newcomment').attr("class","yours");
                        parent.opener.$('#newcomment').html("<h5>Your Comment (preview, pending approval)</h5>");
-                       parent.opener.$('#newcomment').append("<p>"+$("#review").val());
+                       parent.opener.$('#newcomment').append("<p>"+$("#review").val().replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'));
                        parent.opener.$('#newcomment p').append(" <a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&amp;reviewid=<!-- TMPL_VAR NAME="reviewid" -->\');\">Edit</a></p>");
                        parent.opener.$("#addcomment").prev("p").remove();
                        parent.opener.$("#addcomment").remove();

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
index 7e44348..4d3bf18 100644 (file)
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
@@ -19,7 +19,7 @@
     </tr>
     <tr>
         <td>
-            <!--TMPL_VAR NAME="review"-->
+            <!--TMPL_VAR NAME="review" ESCAPE="HTML"-->
             <p><!--TMPL_VAR NAME="datereviewed"--></p>
         </td>
     </tr>