Escape HTML characters in template subs

This prevents injection of random HTML from various sources.

Like bad bib records, org unit settings, patron info, etc.

Signed-off-by: Thomas Berezansky <tsbere@mvlc.org>
Signed-off-by: Jason Etheridge <jason@esilibrary.com>

diff --git a/Open-ILS/xul/staff_client/chrome/content/util/print.js b/Open-ILS/xul/staff_client/chrome/content/util/print.js
index f5d67c6..e0006ed 100644 (file)
--- a/Open-ILS/xul/staff_client/chrome/content/util/print.js
+++ b/Open-ILS/xul/staff_client/chrome/content/util/print.js
@@ -82,6 +82,9 @@ util.print.prototype = {
                 line = line.replace(/<block.*?>/gi,'');
                 line = line.replace(/<li.*?>/gi,' * ');
                 line = line.replace(/<.+?>/gi,'');
+                line = line.replace(/&lt;/gi,'<');
+                line = line.replace(/&gt;/gi,'>');
+                line = line.replace(/&amp;/gi,'&');
                 if (line) { new_lines.push(line); }
             } else {
                 new_lines.push(line);
@@ -92,6 +95,10 @@ util.print.prototype = {
         return new_html;
     },
 
+    'escape_html' : function(data) {
+        return data.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
+    },
+
     'simple' : function(msg,params) {
         try {
             if (!params) params = {};
@@ -222,32 +229,32 @@ util.print.prototype = {
             try{b = s; s = s.replace(/%LINE_NO%/,Number(params.row_idx)+1);}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
 
-            try{b = s; s = s.replace(/%patron_barcode%/,params.patron_barcode);}
+            try{b = s; s = s.replace(/%patron_barcode%/,this.escape_html(params.patron_barcode));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
 
-            try{b = s; s = s.replace(/%LIBRARY%/,params.lib.name());}
+            try{b = s; s = s.replace(/%LIBRARY%/,this.escape_html(params.lib.name()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%PINES_CODE%/,params.lib.shortname());}
+            try{b = s; s = s.replace(/%PINES_CODE%/,this.escape_html(params.lib.shortname()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%SHORTNAME%/,params.lib.shortname());}
+            try{b = s; s = s.replace(/%SHORTNAME%/,this.escape_html(params.lib.shortname()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%STAFF_FIRSTNAME%/,params.staff.first_given_name());}
+            try{b = s; s = s.replace(/%STAFF_FIRSTNAME%/,this.escape_html(params.staff.first_given_name()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%STAFF_LASTNAME%/,params.staff.family_name());}
+            try{b = s; s = s.replace(/%STAFF_LASTNAME%/,this.escape_html(params.staff.family_name()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%STAFF_BARCODE%/,params.staff.barcode); }
+            try{b = s; s = s.replace(/%STAFF_BARCODE%/,this.escape_html(params.staff.barcode)); }
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%STAFF_PROFILE%/,obj.data.hash.pgt[ params.staff.profile() ].name() ); }
+            try{b = s; s = s.replace(/%STAFF_PROFILE%/,this.escape_html(obj.data.hash.pgt[ params.staff.profile() ].name() )); }
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%PATRON_ALIAS_OR_FIRSTNAME%/,(params.patron.alias() == '' || params.patron.alias() == null) ? params.patron.first_given_name() : params.patron.alias());}
+            try{b = s; s = s.replace(/%PATRON_ALIAS_OR_FIRSTNAME%/,this.escape_html((params.patron.alias() == '' || params.patron.alias() == null) ? params.patron.first_given_name() : params.patron.alias()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%PATRON_ALIAS%/,(params.patron.alias() == '' || params.patron.alias() == null) ? '' : params.patron.alias());}
+            try{b = s; s = s.replace(/%PATRON_ALIAS%/,this.escape_html((params.patron.alias() == '' || params.patron.alias() == null) ? '' : params.patron.alias()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%PATRON_FIRSTNAME%/,params.patron.first_given_name());}
+            try{b = s; s = s.replace(/%PATRON_FIRSTNAME%/,this.escape_html(params.patron.first_given_name()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%PATRON_LASTNAME%/,params.patron.family_name());}
+            try{b = s; s = s.replace(/%PATRON_LASTNAME%/,this.escape_html(params.patron.family_name()));}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
-            try{b = s; s = s.replace(/%PATRON_BARCODE%/,typeof params.patron.card() == 'object' ? params.patron.card().barcode() : util.functional.find_id_object_in_list( params.patron.cards(), params.patron.card() ).barcode() ) ;}
+            try{b = s; s = s.replace(/%PATRON_BARCODE%/,this.escape_html(typeof params.patron.card() == 'object' ? params.patron.card().barcode() : util.functional.find_id_object_in_list( params.patron.cards(), params.patron.card() ).barcode() )) ;}
                 catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
 
             try{b = s; s=s.replace(/%TODAY%/g,(new Date()));}
@@ -277,14 +284,14 @@ util.print.prototype = {
                         alert('debug - please tell the developers that deprecated template code tried to execute');
                         for (var i = 0; i < cols.length; i++) {
                             var re = new RegExp(cols[i],"g");
-                            try{b = s; s=s.replace(re, params.row[i]);}
+                            try{b = s; s=s.replace(re, this.escape_html(params.row[i]));}
                                 catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 1 string = <' + s + '>',E);}
                         }
                     } else { 
                         /* for dump_with_keys */
                         for (var i in params.row) {
                             var re = new RegExp('%'+i+'%',"g");
-                            try{b = s; s=s.replace(re, params.row[i]);}
+                            try{b = s; s=s.replace(re, this.escape_html(params.row[i]));}
                                 catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 2 string = <' + s + '>',E);}
                         }
                     }
@@ -294,7 +301,7 @@ util.print.prototype = {
                     for (var i in params.data) {
                         var re = new RegExp('%'+i+'%',"g");
                         if (typeof params.data[i] == 'string' || typeof params.data[i] == 'number') {
-                            try{b = s; s=s.replace(re, params.data[i]);}
+                            try{b = s; s=s.replace(re, this.escape_html(params.data[i]));}
                                 catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 3 string = <' + s + '>',E);}
                         } else {
                             /* likely a null, print as an empty string */