From: Dan Scott Date: Wed, 21 Mar 2018 21:08:35 +0000 (+0100) Subject: LP1757526 Escape displayed catalogue data X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=9d7b19f77d0ba1c2d898f0e73b3d8fa82331950f;p=evergreen%2Fpines.git LP1757526 Escape displayed catalogue data Content in content fields (5xx) as well as for the names of locations in copy count alt text was not being properly escaped, allowing for the possibility of executing arbitrary JavaScript in the case of a malicious catalogue record (whether edited in the system, or imported) Signed-off-by: Dan Scott Signed-off-by: Chris Sharp Signed-off-by: Galen Charlton --- diff --git a/Open-ILS/src/templates/opac/parts/record/contents.tt2 b/Open-ILS/src/templates/opac/parts/record/contents.tt2 index 29fc33b4cd..50ae616288 100644 --- a/Open-ILS/src/templates/opac/parts/record/contents.tt2 +++ b/Open-ILS/src/templates/opac/parts/record/contents.tt2 @@ -170,8 +170,7 @@ BLOCK render_contents; all_content.push(subfield.textContent); END; total_contents = all_content.join(" ").replace('\s+$', ''); - %] [% total_contents; - IF total_contents.size; "
"; END; + %] [% "
"; total_contents | html ; "
"; FOREACH link880 IN graphics; '
'; link880.value | html; diff --git a/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2 b/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2 index eee85e8f09..e6e783f244 100644 --- a/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2 +++ b/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2 @@ -23,7 +23,7 @@ [%- this_depth = ctx.get_aou(ou_id).ou_type.depth; IF ou_count > 0 && this_depth != ctx.copy_depth %] + title="[% l('Show copies at [_1]', ou_name) | html; %]"> [%- l('(Show)'); %] [%- END; %] @@ -43,7 +43,7 @@ attrs.plib_copy_counts.$depth.count, ou_name) | html %] [% + title="[% l('Show copies at [_1]', ou_name) | html; %]">[% l('(Show preferred library)'); %] [%- END %]