From: Thomas Berezansky Date: Thu, 11 Aug 2011 01:37:54 +0000 (-0400) Subject: Escape HTML characters in template subs X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=f6fe28b5bb0a9de00f0c9f701517de002bb3793a;p=evergreen%2Ftadl.git Escape HTML characters in template subs This prevents injection of random HTML from various sources. Like bad bib records, org unit settings, patron info, etc. Signed-off-by: Thomas Berezansky Signed-off-by: Jason Etheridge --- diff --git a/Open-ILS/xul/staff_client/chrome/content/util/print.js b/Open-ILS/xul/staff_client/chrome/content/util/print.js index f5d67c62b2..e0006ed7ab 100644 --- a/Open-ILS/xul/staff_client/chrome/content/util/print.js +++ b/Open-ILS/xul/staff_client/chrome/content/util/print.js @@ -82,6 +82,9 @@ util.print.prototype = { line = line.replace(//gi,''); line = line.replace(//gi,' * '); line = line.replace(/<.+?>/gi,''); + line = line.replace(/</gi,'<'); + line = line.replace(/>/gi,'>'); + line = line.replace(/&/gi,'&'); if (line) { new_lines.push(line); } } else { new_lines.push(line); @@ -92,6 +95,10 @@ util.print.prototype = { return new_html; }, + 'escape_html' : function(data) { + return data.replace(/&/g,'&').replace(//g,'>'); + }, + 'simple' : function(msg,params) { try { if (!params) params = {}; @@ -222,32 +229,32 @@ util.print.prototype = { try{b = s; s = s.replace(/%LINE_NO%/,Number(params.row_idx)+1);} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%patron_barcode%/,params.patron_barcode);} + try{b = s; s = s.replace(/%patron_barcode%/,this.escape_html(params.patron_barcode));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%LIBRARY%/,params.lib.name());} + try{b = s; s = s.replace(/%LIBRARY%/,this.escape_html(params.lib.name()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%PINES_CODE%/,params.lib.shortname());} + try{b = s; s = s.replace(/%PINES_CODE%/,this.escape_html(params.lib.shortname()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%SHORTNAME%/,params.lib.shortname());} + try{b = s; s = s.replace(/%SHORTNAME%/,this.escape_html(params.lib.shortname()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%STAFF_FIRSTNAME%/,params.staff.first_given_name());} + try{b = s; s = s.replace(/%STAFF_FIRSTNAME%/,this.escape_html(params.staff.first_given_name()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%STAFF_LASTNAME%/,params.staff.family_name());} + try{b = s; s = s.replace(/%STAFF_LASTNAME%/,this.escape_html(params.staff.family_name()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%STAFF_BARCODE%/,params.staff.barcode); } + try{b = s; s = s.replace(/%STAFF_BARCODE%/,this.escape_html(params.staff.barcode)); } catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%STAFF_PROFILE%/,obj.data.hash.pgt[ params.staff.profile() ].name() ); } + try{b = s; s = s.replace(/%STAFF_PROFILE%/,this.escape_html(obj.data.hash.pgt[ params.staff.profile() ].name() )); } catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%PATRON_ALIAS_OR_FIRSTNAME%/,(params.patron.alias() == '' || params.patron.alias() == null) ? params.patron.first_given_name() : params.patron.alias());} + try{b = s; s = s.replace(/%PATRON_ALIAS_OR_FIRSTNAME%/,this.escape_html((params.patron.alias() == '' || params.patron.alias() == null) ? params.patron.first_given_name() : params.patron.alias()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%PATRON_ALIAS%/,(params.patron.alias() == '' || params.patron.alias() == null) ? '' : params.patron.alias());} + try{b = s; s = s.replace(/%PATRON_ALIAS%/,this.escape_html((params.patron.alias() == '' || params.patron.alias() == null) ? '' : params.patron.alias()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%PATRON_FIRSTNAME%/,params.patron.first_given_name());} + try{b = s; s = s.replace(/%PATRON_FIRSTNAME%/,this.escape_html(params.patron.first_given_name()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%PATRON_LASTNAME%/,params.patron.family_name());} + try{b = s; s = s.replace(/%PATRON_LASTNAME%/,this.escape_html(params.patron.family_name()));} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} - try{b = s; s = s.replace(/%PATRON_BARCODE%/,typeof params.patron.card() == 'object' ? params.patron.card().barcode() : util.functional.find_id_object_in_list( params.patron.cards(), params.patron.card() ).barcode() ) ;} + try{b = s; s = s.replace(/%PATRON_BARCODE%/,this.escape_html(typeof params.patron.card() == 'object' ? params.patron.card().barcode() : util.functional.find_id_object_in_list( params.patron.cards(), params.patron.card() ).barcode() )) ;} catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');} try{b = s; s=s.replace(/%TODAY%/g,(new Date()));} @@ -277,14 +284,14 @@ util.print.prototype = { alert('debug - please tell the developers that deprecated template code tried to execute'); for (var i = 0; i < cols.length; i++) { var re = new RegExp(cols[i],"g"); - try{b = s; s=s.replace(re, params.row[i]);} + try{b = s; s=s.replace(re, this.escape_html(params.row[i]));} catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 1 string = <' + s + '>',E);} } } else { /* for dump_with_keys */ for (var i in params.row) { var re = new RegExp('%'+i+'%',"g"); - try{b = s; s=s.replace(re, params.row[i]);} + try{b = s; s=s.replace(re, this.escape_html(params.row[i]));} catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 2 string = <' + s + '>',E);} } } @@ -294,7 +301,7 @@ util.print.prototype = { for (var i in params.data) { var re = new RegExp('%'+i+'%',"g"); if (typeof params.data[i] == 'string' || typeof params.data[i] == 'number') { - try{b = s; s=s.replace(re, params.data[i]);} + try{b = s; s=s.replace(re, this.escape_html(params.data[i]));} catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 3 string = <' + s + '>',E);} } else { /* likely a null, print as an empty string */