Bug 19108: Fix Stored XSS in biblio_framework.pl and marctagstructure.pl

To Test
1. Hit the page /cgi-bin/koha/admin/biblio_framework.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Click on Actions -> MARC structure
6. Apply patch and reload, the js is escaped

Fixed for both the pages biblio_framework.pl and marctagstructure.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/biblio_framework.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/biblio_framework.tt
index 4edc861..166663f 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/biblio_framework.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/biblio_framework.tt
@@ -3,7 +3,7 @@
 [% IF op == 'add_form' %]
 › [% IF framework %]Modify framework text[% ELSE %]Add framework[% END %]
 [% ELSIF op == 'delete_confirm' %]
-› Delete framework for [% framework.frameworktext %] ([% framework.frameworkcode %])?
+› Delete framework for [% framework.frameworktext |html %] ([% framework.frameworkcode %])?
 [% END %]
 </title>
 [% INCLUDE 'doc-head-close.inc' %]
@@ -31,7 +31,7 @@
 [% IF op == 'add_form' %]
 &rsaquo; [% IF framework %]Modify framework text[% ELSE %]Add framework[% END %]
 [% ELSIF op == 'delete_confirm' %]
-&rsaquo; Delete framework for [% framework.frameworktext %] ([% framework.frameworkcode %])?
+&rsaquo; Delete framework for [% framework.frameworktext |html %] ([% framework.frameworkcode %])?
 [% END %]
 </div>
 
@@ -107,13 +107,13 @@
     <div class="dialog alert">
         [% IF biblios_use_this_framework %]
             <h3>This framework cannot be deleted</h3>
-            <p><strong><span class="ex">[% framework.frameworktext %] ([% framework.frameworkcode %])</span></strong></p>
+            <p><strong><span class="ex">[% framework.frameworktext |text %] ([% framework.frameworkcode %])</span></strong></p>
             <p>The framework is used [% biblios_use_this_framework %] times.</p>
             <form action="/cgi-bin/koha/admin/biblio_framework.pl" method="get">
                 <button type="submit"><i class="fa fa-fw fa-arrow-left"></i> Return to frameworks</button>
             </form>
         [% ELSE %]
-            <h3>Delete framework for [% framework.frameworktext %] ([% framework.frameworkcode %])?</h3>
+            <h3>Delete framework for [% framework.frameworktext |html %] ([% framework.frameworkcode %])?</h3>
             <form class="inline" action="/cgi-bin/koha/admin/biblio_framework.pl" method="post">
                 <input type="hidden" name="op" value="delete_confirmed" />
                 <input type="hidden" name="frameworkcode" value="[% framework.frameworkcode %]" />
@@ -209,7 +209,7 @@
     [% FOREACH loo IN frameworks %]
         <tr>
             <td>[% loo.frameworkcode %]</td>
-            <td>[% loo.frameworktext %]</td>
+            <td>[% loo.frameworktext |html %]</td>
             <td>
               <div class="dropdown">
                 <a class="btn btn-default btn-xs dropdown-toggle" id="frameworkactions[% loo.frameworkcode %]" role="button" data-toggle="dropdown" href="#">
@@ -230,7 +230,7 @@
                   <div class="modal-content">
                   <div class="modal-header">
                     <button type="button" class="closebtn" data-dismiss="modal" aria-hidden="true">×</button>
-                    <h3 id="exportLabelexportModal_[% loo.frameworkcode %][% loop.count %]">Export [% loo.frameworktext %] framework</h3>
+                    <h3 id="exportLabelexportModal_[% loo.frameworkcode %][% loop.count %]">Export [% loo.frameworktext |html %] framework</h3>
                   </div>
                   <form action="import_export_framework.pl" name="form_[% loo.frameworkcode %]" method="get" target="_blank"  class="form_export">
                     <div class="modal-body">

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marctagstructure.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marctagstructure.tt
index a5d354d..e4033a3 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marctagstructure.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marctagstructure.tt
@@ -39,15 +39,15 @@ $(document).ready(function() {
 &rsaquo; <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a>
 &rsaquo; <a href="/cgi-bin/koha/admin/biblio_framework.pl">MARC frameworks</a>
 [% IF ( add_form ) %]
-&rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% framework.frameworkcode %]">[% IF framework %][% framework.frameworktext %] ([% framework.frameworkcode %])[% ELSE %]Default MARC framework[% END%]</a>
+&rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% framework.frameworkcode %]">[% IF framework %][% framework.frameworktext |html %] ([% framework.frameworkcode %])[% ELSE %]Default MARC framework[% END%]</a>
 &rsaquo; [% action %] [% searchfield %]
 [% ELSIF ( else ) %]
-&rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% framework.frameworkcode %]">[% IF framework %][% framework.frameworktext %] ([% framework.frameworkcode %])[% ELSE %]Default MARC framework[% END %]</a>
+&rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% framework.frameworkcode %]">[% IF framework %][% framework.frameworktext |html %] ([% framework.frameworkcode %])[% ELSE %]Default MARC framework[% END %]</a>
 [% ELSIF ( delete_confirm ) %]
-&rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% framework.frameworkcode %]">[% IF framework %][% framework.frameworktext %] ([% framework.frameworkcode %])[% ELSE %]Default MARC framework[% END %]</a>
+&rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% framework.frameworkcode %]">[% IF framework %][% framework.frameworktext |html %] ([% framework.frameworkcode %])[% ELSE %]Default MARC framework[% END %]</a>
 &rsaquo; Confirm deletion of tag '[% searchfield %]'
 [% ELSIF ( delete_confirmed ) %]
-&rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% framework.frameworkcode %]">[% IF framework %][% framework.frameworktext %] ([% framework.frameworkcode %])[% ELSE %]Default MARC framework[% END %]</a>
+&rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% framework.frameworkcode %]">[% IF framework %][% framework.frameworktext |html %] ([% framework.frameworkcode %])[% ELSE %]Default MARC framework[% END %]</a>
 &rsaquo; Data deleted
 [% END %]
 </div>
@@ -62,7 +62,7 @@ $(document).ready(function() {
     <a class="btn btn-default btn-sm" id="addtag" href="/cgi-bin/koha/admin/marctagstructure.pl?op=add_form&amp;frameworkcode=[% framework.frameworkcode %]"><i class="fa fa-plus"></i> New tag</a>
 </div>[% END %]
 
-<h1>MARC Framework for [% IF framework %][% framework.frameworktext %] ([% framework.frameworkcode %])[% ELSE %]default MARC framework[% END %]</h1>
+<h1>MARC Framework for [% IF framework %][% framework.frameworktext |html %] ([% framework.frameworkcode %])[% ELSE %]default MARC framework[% END %]</h1>
 
 [% IF ( add_form ) %]
 
@@ -143,11 +143,11 @@ $(document).ready(function() {
     <form action="[% script_name %]" method="post">
         <input type="hidden" name="op" value="framework_create_confirm" />
         <input type="hidden" name="frameworkcode" value="[% framework.frameworkcode %]" />
-        Create framework for [% frameworkcode %] ([% framework.frameworktext %]) using
+        Create framework for [% frameworkcode %] ([% framework.frameworktext |html %]) using
         <select name="existingframeworkcode">
             <option value="">Default</option>
         [% FOREACH existingframeworkloo IN existingframeworkloop %]
-            <option value="[% existingframeworkloo.value %]">[% existingframeworkloo.frameworktext %]</option>
+            <option value="[% existingframeworkloo.value %]">[% existingframeworkloo.frameworktext |html %]</option>
         [% END %]
         </select>
         <input type="submit" value="OK" />
@@ -166,9 +166,9 @@ $(document).ready(function() {
             <option value="">Default</option>
             [% FOREACH f IN frameworks %]
             [% IF f.frameworkcode == framework.frameworkcode %]
-                <option value="[% f.frameworkcode %]" selected="selected">[% f.frameworktext %]</option>
+                <option value="[% f.frameworkcode %]" selected="selected">[% f.frameworktext |html %]</option>
                 [% ELSE %]
-                <option value="[% f.frameworkcode %]">[% f.frameworktext %]</option>
+                <option value="[% f.frameworkcode %]">[% f.frameworktext |html %]</option>
                 [% END %]
             [% END %]
         </select>