From 5235a46fa6e6c25763e8444a1e9e9c44cf441133 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Mon, 1 Apr 2019 15:13:09 -0700
Subject: [PATCH] LP#1822630: further sanitizing of CGI params when embedded in
 HTML

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Chris Sharp <csharp@georgialibraries.org>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 | 6 +++---
 Open-ILS/src/templates/opac/parts/header.tt2            | 2 +-
 Open-ILS/src/templates/opac/parts/place_hold.tt2        | 2 +-
 Open-ILS/src/templates/opac/parts/place_hold_result.tt2 | 4 ++--
 Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 | 4 ++--
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
index d5ba0f48ea..668b5fab3e 100644
--- a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
+++ b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
@@ -45,13 +45,13 @@ dojo.forEach(vendor_list, function(v) {
 // essential info for performing a transaction
 var ebook_action = {};
 [%- IF CGI.param("action").defined %]
-ebook_action.type = '[% CGI.param("action") %]';
+ebook_action.type = '[% CGI.param("action") | html %]';
 [%- END -%]
 [%- IF CGI.param("title").defined %]
-ebook_action.title_id = '[% CGI.param("title") %]';
+ebook_action.title_id = '[% CGI.param("title") | html %]';
 [%- END -%]
 [%- IF CGI.param("vendor").defined %]
-ebook_action.vendor = '[% CGI.param("vendor") %]';
+ebook_action.vendor = '[% CGI.param("vendor") | html %]';
 [%- END -%]
 
 [% IF ctx.user %]
diff --git a/Open-ILS/src/templates/opac/parts/header.tt2 b/Open-ILS/src/templates/opac/parts/header.tt2
index 76b2314187..5f397c3b7c 100644
--- a/Open-ILS/src/templates/opac/parts/header.tt2
+++ b/Open-ILS/src/templates/opac/parts/header.tt2
@@ -19,7 +19,7 @@
     # parts/searchbar.tt2, and results.tt2.
     show_detail_view = 0;
     IF CGI.param("detail_record_view").defined;
-        show_detail_view = CGI.param("detail_record_view");
+        show_detail_view = CGI.param("detail_record_view") | html;
     ELSIF show_more_details.default == "true" OR
           show_more_details.default == "hide";
         show_detail_view = 1;
diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2
index f2d1bba3bc..95ff9e2b29 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -192,7 +192,7 @@ function maybeToggleNumCopies(obj) {
                                 [% l('Advanced Hold Options') %]</a>
                         [% END %]
                         [% IF CGI.param('hold_type') == 'M' AND CGI.param('bre_id') %]
-                            <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') %]" />
+                            <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') | html %]" />
                             <a id='basic_hold_link'
                                href="[% mkurl('', {hold_target => CGI.param('bre_id'), hold_type => 'T'}) %]">
                                 [% l('Basic Hold Options') %]</a>
diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 009145aeb2..2f434bdc60 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
         [% END %]
         <span>
         [% IF any_failures OR ctx.general_hold_error %]
-        <a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Cancel') %]</a>
+        <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
         [% ELSE %]
         <div class='hold_success_links'>
-          <span><a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Continue') %]</a></span>
+          <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
            [% IF ctx.is_staff %]
              [% IF CGI.param('hold_type') == 'C';
                   hold_type_label = l('copy');
diff --git a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
index ae2ef7a50c..35b2c77723 100644
--- a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
@@ -62,8 +62,8 @@ FOR filter IN ctx.query_struct.filters;
 [%- END; # IF locations -%]
 
 [%- IF pubdate_filters.grep('^' _ filter.name _ '$').size;
-    date1 = CGI.param('date1');
-    date2 = CGI.param('date2');
+    date1 = CGI.param('date1') | html;
+    date2 = CGI.param('date2') | html;
 -%]
     <div class="adv_filter_results_group_wrapper">
       <div class="adv_filter_results_group">
-- 
2.11.0