LP#1822630: further sanitizing of CGI params when embedded in HTML

author Jeff Davis <jdavis@sitka.bclibraries.ca>

Mon, 1 Apr 2019 22:13:09 +0000 (15:13 -0700)

committer Galen Charlton <gmc@equinoxinitiative.org>

Thu, 19 Sep 2019 19:31:28 +0000 (15:31 -0400)
author Jeff Davis <jdavis@sitka.bclibraries.ca>
Mon, 1 Apr 2019 22:13:09 +0000 (15:13 -0700)
committer Galen Charlton <gmc@equinoxinitiative.org>
Thu, 19 Sep 2019 19:31:28 +0000 (15:31 -0400)
diff --git a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2

index d5ba0f4..668b5fa 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
+++ b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
@@ -45,13 +45,13 @@ dojo.forEach(vendor_list, function(v) {
  // essential info for performing a transaction
  var ebook_action = {};
  [%- IF CGI.param("action").defined %]
-ebook_action.type = '[% CGI.param("action") %]';
+ebook_action.type = '[% CGI.param("action") | html %]';
  [%- END -%]
  [%- IF CGI.param("title").defined %]
-ebook_action.title_id = '[% CGI.param("title") %]';
+ebook_action.title_id = '[% CGI.param("title") | html %]';
  [%- END -%]
  [%- IF CGI.param("vendor").defined %]
-ebook_action.vendor = '[% CGI.param("vendor") %]';
+ebook_action.vendor = '[% CGI.param("vendor") | html %]';
  [%- END -%]
  
  [% IF ctx.user %]
diff --git a/Open-ILS/src/templates/opac/parts/header.tt2 b/Open-ILS/src/templates/opac/parts/header.tt2

index 76b2314..5f397c3 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/header.tt2
+++ b/Open-ILS/src/templates/opac/parts/header.tt2
@@ -19,7 +19,7 @@
      # parts/searchbar.tt2, and results.tt2.
      show_detail_view = 0;
      IF CGI.param("detail_record_view").defined;
-        show_detail_view = CGI.param("detail_record_view");
+        show_detail_view = CGI.param("detail_record_view") | html;
      ELSIF show_more_details.default == "true" OR
            show_more_details.default == "hide";
          show_detail_view = 1;
diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2

index f2d1bba..95ff9e2 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -192,7 +192,7 @@ function maybeToggleNumCopies(obj) {
                                  [% l('Advanced Hold Options') %]</a>
                          [% END %]
                          [% IF CGI.param('hold_type') == 'M' AND CGI.param('bre_id') %]
-                            <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') %]" />
+                            <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') | html %]" />
                              <a id='basic_hold_link'
                                 href="[% mkurl('', {hold_target => CGI.param('bre_id'), hold_type => 'T'}) %]">
                                  [% l('Basic Hold Options') %]</a>
diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2

index 009145a..2f434bd 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
          [% END %]
          <span>
          [% IF any_failures OR ctx.general_hold_error %]
-        <a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Cancel') %]</a>
+        <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
          [% ELSE %]
          <div class='hold_success_links'>
-          <span><a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Continue') %]</a></span>
+          <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
             [% IF ctx.is_staff %]
               [% IF CGI.param('hold_type') == 'C';
                    hold_type_label = l('copy');
diff --git a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2

index ae2ef7a..35b2c77 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
@@ -62,8 +62,8 @@ FOR filter IN ctx.query_struct.filters;
  [%- END; # IF locations -%]
  
  [%- IF pubdate_filters.grep('^' _ filter.name _ '$').size;
-    date1 = CGI.param('date1');
-    date2 = CGI.param('date2');
+    date1 = CGI.param('date1') | html;
+    date2 = CGI.param('date2') | html;
  -%]
      <div class="adv_filter_results_group_wrapper">
        <div class="adv_filter_results_group">
author	Jeff Davis <jdavis@sitka.bclibraries.ca>
	Mon, 1 Apr 2019 22:13:09 +0000 (15:13 -0700)
committer	Galen Charlton <gmc@equinoxinitiative.org>
	Thu, 19 Sep 2019 19:31:28 +0000 (15:31 -0400)
Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2		patch \| blob \| history
Open-ILS/src/templates/opac/parts/header.tt2		patch \| blob \| history
Open-ILS/src/templates/opac/parts/place_hold.tt2		patch \| blob \| history
Open-ILS/src/templates/opac/parts/place_hold_result.tt2		patch \| blob \| history
Open-ILS/src/templates/opac/parts/result/adv_filter.tt2		patch \| blob \| history