Bug 14423: XSS bug in auth_subfields_structure

1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt
index 87b468b..5d4b0bf 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt
@@ -27,11 +27,11 @@ function displayMoreConstraint(numlayer){
 [% INCLUDE 'cat-search.inc' %]
 <div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a> &rsaquo;
   <a href="/cgi-bin/koha/admin/authtypes.pl">Authority types</a> &rsaquo;
-  [% IF ( authtypecode ) %]<a href="/cgi-bin/koha/admin/auth_tag_structure.pl?authtypecode=[% authtypecode %]">[% authtypecode %] framework</a> &rsaquo;
+  [% IF ( authtypecode ) %]<a href="/cgi-bin/koha/admin/auth_tag_structure.pl?authtypecode=[% authtypecode | uri%]">[% authtypecode |html%] framework</a> &rsaquo;
   [% ELSE %]<a href="/cgi-bin/koha/admin/auth_tag_structure.pl">Default framework</a> &rsaquo;
   [% END %]
-  [% IF ( else ) %]Authority MARC subfield structure for [% tagfield %]
-  [% ELSE %]<a href="/cgi-bin/koha/admin/auth_subfields_structure.pl?tagfield=[% tagfield %]&amp;tagsubfield=[% tagsubfield %]&amp;authtypecode=[% authtypecode %]">Authority MARC subfield structure for [% tagfield %]</a> &rsaquo;
+  [% IF ( else ) %]Authority MARC subfield structure for [% tagfield | html %]
+  [% ELSE %]<a href="/cgi-bin/koha/admin/auth_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;tagsubfield=[% tagsubfield %]&amp;authtypecode=[% authtypecode |uri %]">Authority MARC subfield structure for [% tagfield | html %]</a> &rsaquo;
   [% END %]
   [% IF ( delete_confirm ) %]Confirm deletion of subfield [% tagsubfield %]?[% END %]
   [% IF ( delete_confirmed ) %]Data deleted[% END %]
@@ -51,13 +51,13 @@ function displayMoreConstraint(numlayer){
 [% IF ( add_form ) %]
 
     <h1>[% IF ( use_heading_flags_p ) %]
-    [% IF ( heading_edit_subfields_p ) %]Edit MARC subfields constraints for field [% tagfield %] authority [% authtypecode %][% END %]
+    [% IF ( heading_edit_subfields_p ) %]Edit MARC subfields constraints for field [% tagfield | html %] authority [% authtypecode |html%][% END %]
     [% ELSE %][% action %][% END %]</h1>
     <form action="[% script_name %]" name="Aform" method="post">
         <input type="hidden" name="op" value="add_validate" />
-        <input type="hidden" name="tagfield" value="[% tagfield %]" />
-        <input type="hidden" name="authtypecode" value="[% authtypecode %]" />
-        <fieldset class="action"><input type="submit" class="submit" value="Save changes" /> <a class="cancel" href="/cgi-bin/koha/admin/auth_subfields_structure.pl?tagfield=[% tagfield %]&amp;authtypecode=[% authtypecode %]">Cancel</a></fieldset>
+        <input type="hidden" name="tagfield" value="[% tagfield | html %]" />
+        <input type="hidden" name="authtypecode" value="[% authtypecode | html%]" />
+        <fieldset class="action"><input type="submit" class="submit" value="Save changes" /> <a class="cancel" href="/cgi-bin/koha/admin/auth_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;authtypecode=[% authtypecode |uri %]">Cancel</a></fieldset>
         <div id="subfieldtabs" class="toptabs numbered">
             <ul>
                 [% FOREACH loo IN loop %]
@@ -222,16 +222,16 @@ function displayMoreConstraint(numlayer){
     <table><tr><th scope="row">Subfield:</th> <td>[% tagsubfield %]</td></tr>
     <tr><th scope="row">Description:</th> <td>[% liblibrarian %]</td></tr></table>
         <input type="hidden" name="searchfield" value="[% searchfield %]" />
-        <input type="hidden" name="tagfield" value="[% tagfield %]" />
+        <input type="hidden" name="tagfield" value="[% tagfield | html%]" />
         <input type="hidden" name="tagsubfield" value="[% tagsubfield %]" />
-        <input type="hidden" name="authtypecode" value="[% authtypecode %]" />
+        <input type="hidden" name="authtypecode" value="[% authtypecode | html%]" />
         <input type="submit" class="approve" value="Yes, delete this subfield" />
         </form>
         <form action="[% delete_link %]" method="get">
          <input type="hidden" name="searchfield" value="[% searchfield %]" />
-        <input type="hidden" name="tagfield" value="[% tagfield %]" />
+        <input type="hidden" name="tagfield" value="[% tagfield | html %]" />
         <input type="hidden" name="tagsubfield" value="[% tagsubfield %]" />
-        <input type="hidden" name="authtypecode" value="[% authtypecode %]" />
+        <input type="hidden" name="authtypecode" value="[% authtypecode |html%]" />
         <input type="submit" class="deny" value="No, do not delete" />
         </form>
     </form></div>
@@ -241,14 +241,14 @@ function displayMoreConstraint(numlayer){
 
    <div class="dialog message"> <h3>Data deleted</h3>
     <form action="[% script_name %]" method="post">
-        <input type="hidden" name="tagfield" value="[% tagfield %]" />
+        <input type="hidden" name="tagfield" value="[% tagfield | html %]" />
         <input type="submit" class="approve" value="OK" />
     </form></div>
 [% END %]
 
 
 [% IF ( else ) %]
-<h1>Authority MARC subfield structure admin for [% tagfield %] (authority: [% authtypecode %])</h1>
+<h1>Authority MARC subfield structure admin for [% tagfield | html %] (authority: [% authtypecode | html%])</h1>
 <p>This screen shows the subfields associated with the selected tag. You can edit subfields or add a new one by clicking on edit. </p>
 <p>The column <b>Koha field</b> shows that the subfield is linked with a Koha field. Koha can manage a MARC interface, and a Koha interface. This link ensures that both DB are synchronized</p>
 
@@ -300,7 +300,7 @@ function displayMoreConstraint(numlayer){
     <input type="hidden" name="tagfield" value="[% edit_tagfield %]" />
     <input type="hidden" name="authtypecode" value="[% edit_authtypecode %]" />
     <input type="submit" value="Edit subfields" />
-    <a class="cancel" href="auth_tag_structure.pl?searchfield=[% tagfield %]&amp;authtypecode=[% authtypecode %]">Cancel</a></fieldset>
+    <a class="cancel" href="auth_tag_structure.pl?searchfield=[% tagfield | uri%]&amp;authtypecode=[% authtypecode | uri %]">Cancel</a></fieldset>
     </form>
 
     [% IF ( previous ) %]