From 70750f721dcaba24d09cba8a41da35e6964e122b Mon Sep 17 00:00:00 2001
From: Dan Scott <dscott@laurentian.ca>
Date: Wed, 21 Mar 2018 22:08:35 +0100
Subject: [PATCH] LP1757526 Escape displayed catalogue data

Content in content fields (5xx) as well as for the names of locations in copy
count alt text was not being properly escaped, allowing for the possibility of
executing arbitrary JavaScript in the case of a malicious catalogue record
(whether edited in the system, or imported)

Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Chris Sharp <csharp@georgialibraries.org>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 Open-ILS/src/templates/opac/parts/record/contents.tt2    | 3 +--
 Open-ILS/src/templates/opac/parts/record/copy_counts.tt2 | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/Open-ILS/src/templates/opac/parts/record/contents.tt2 b/Open-ILS/src/templates/opac/parts/record/contents.tt2
index 87057dc1a7..db80b475c2 100644
--- a/Open-ILS/src/templates/opac/parts/record/contents.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/contents.tt2
@@ -177,8 +177,7 @@ BLOCK render_contents;
             all_content.push(subfield.textContent);
         END;
         total_contents = all_content.join(" ").replace('\s+$', '');
-        %] [% total_contents;
-        IF total_contents.size; "<br/>"; END;
+        %] [% "<div class='content_field'>"; total_contents | html ; "</div>";
         FOREACH link880 IN graphics;
             '<div class="graphic880"' _ link880.dir _ '>';
             link880.value | html;
diff --git a/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2 b/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
index eee85e8f09..e6e783f244 100644
--- a/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
@@ -23,7 +23,7 @@
     [%- this_depth = ctx.get_aou(ou_id).ou_type.depth;
         IF ou_count > 0 && this_depth != ctx.copy_depth %]
     <a href="[% mkurl('', {copy_depth => this_depth}, ['copy_offset']); %]"
-       title="[% l('Show copies at [_1]', ou_name); %]">
+       title="[% l('Show copies at [_1]', ou_name) | html; %]">
        [%- l('(Show)'); %]</a>
     [%- END; %]
     </li>
@@ -43,7 +43,7 @@
             attrs.plib_copy_counts.$depth.count,
             ou_name) | html
     %] <a href="[% mkurl('', {locg => ou_id}, ['copy_offset']); %]"
-       title="[% l('Show copies at [_1]', ou_name); %]">[%
+       title="[% l('Show copies at [_1]', ou_name) | html; %]">[%
        l('(Show preferred library)');
     %]</a></li>
     [%- END %]
-- 
2.11.0