From: Dan Scott <dscott@laurentian.ca>
Date: Wed, 26 Apr 2017 04:19:42 +0000 (-0400)
Subject: LP#1478128: Avoid XSS in public catalog
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=472bd5ae1486fc0349581b02e666d0e8b8d5c143;p=contrib%2FConifer.git

LP#1478128: Avoid XSS in public catalog

This patch escapes various GET param values by passing them through
the Template Toolkit html filter, including:

* in the locale picker
* in the searchbar
* in the login form

Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>

Conflicts:
	Open-ILS/src/templates/opac/parts/searchbar.tt2

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---

diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index 12019cdddd..2ba56c0350 100644
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -10,7 +10,7 @@
     <label for="locale_picker">[% l("Language:") %]</label>
     [%- FOREACH param IN CGI.params(); -%]
         [%- NEXT IF param.key == 'set_eg_locale'; -%]
-        <input type="hidden" name="[% param.key %]" value="[% param.value %]" />
+        <input type="hidden" name="[% param.key | html %]" value="[% param.value | html %]" />
     [%- END; -%]
     <select id="locale_picker" name="set_eg_locale">
     [%- FOREACH locale IN ctx.locales.keys %]
diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 88d42c91eb..c4b20544d4 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -49,7 +49,7 @@
             END;
                 redirect = redirect  | replace('^http:', 'https:');
             %]
-            <input type='hidden' name='redirect_to' value='[% redirect %]'/>
+            <input type='hidden' name='redirect_to' value='[% redirect | html %]'/>
             <input type="checkbox" name="persist" id="login_persist" /><label for="login_persist"> [% l('Stay logged in?') %]</label>
             <input type="submit" value="[% l('Log in') %]" alt="[% l('Log in') %]" class="opac-button" />
         </div>
diff --git a/Open-ILS/src/templates/opac/parts/searchbar.tt2 b/Open-ILS/src/templates/opac/parts/searchbar.tt2
index 20088fa93b..1b368ff230 100644
--- a/Open-ILS/src/templates/opac/parts/searchbar.tt2
+++ b/Open-ILS/src/templates/opac/parts/searchbar.tt2
@@ -90,9 +90,9 @@
             number_of_expert_rows = CGI.param('tag').list.size;
             index = 0;
             WHILE index < number_of_expert_rows %]
-                <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index %]" />
-                <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index %]" />
-                <input type="hidden" name="term" value="[% CGI.param('term').list.$index %]" />
+                <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index | html %]" />
+                <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index | html %]" />
+                <input type="hidden" name="term" value="[% CGI.param('term').list.$index | html %]" />
                 [% index = index + 1; %]
             [% END %]
         [% END %]