[Patches] [PATCH] Bug 7316 - Missing escaping in search results

koha-patchbot at kohaaloha.com koha-patchbot at kohaaloha.com
Mon Dec 5 06:30:03 NZDT 2011


From: =?UTF-8?q?Fr=C3=A8re=20S=C3=A9bastien=20Marie?= <semarie-koha at latrappe.fr>
Date: Sun, 4 Dec 2011 18:14:09 +0100
Subject: [PATCH] Bug 7316 - Missing escaping in search results

Two parameters are now escaped in title (html element):
 - query_desc
 - limit_desc

This is a security correction against XSS.
---
 .../prog/en/modules/catalogue/results.tt           |    2 +-
 .../prog/en/modules/opac-results-grouped.tt        |    2 +-
 .../opac-tmpl/prog/en/modules/opac-results.tt      |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
index 2bed51c..9b4f01f 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
@@ -1,5 +1,5 @@
 [% INCLUDE 'doc-head-open.inc' %]
-<title>Koha › Catalog › [% IF ( searchdesc ) %]Results of Search [% IF ( query_desc ) %]for '[% query_desc %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc %]'[% END %][% ELSE %]You did not specify any search criteria[% END %]</title>
+<title>Koha › Catalog › [% IF ( searchdesc ) %]Results of Search [% IF ( query_desc ) %]for '[% query_desc | html %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc | html %]'[% END %][% ELSE %]You did not specify any search criteria[% END %]</title>
 [% INCLUDE 'doc-head-close.inc' %]
 <script type="text/javascript" src="/intranet-tmpl/prog/en/lib/jquery/plugins/jquery.highlight-3.js"></script>
 <script type="text/javascript">
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt
index baf7676..9e1b855 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt
@@ -1,7 +1,7 @@
 [% INCLUDE 'doc-head-open.inc' %]
 [% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha Online[% END %] Catalog ›
 [% IF ( searchdesc ) %]
-	Results of Search [% IF ( query_desc ) %]for '[% query_desc %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc %]'[% END %]
+	Results of Search [% IF ( query_desc ) %]for '[% query_desc | html %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc | html %]'[% END %]
 [% ELSE %]
     You did not specify any search criteria.
 [% END %]
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt
index 7201a82..798e0d8 100755
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt
@@ -1,7 +1,7 @@
 [% INCLUDE 'doc-head-open.inc' %]
 [% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha Online[% END %] Catalog ›
 [% IF ( searchdesc ) %]
-	Results of Search [% IF ( query_desc ) %]for '[% query_desc %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc %]'[% END %]
+	Results of Search [% IF ( query_desc ) %]for '[% query_desc | html%]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc | html %]'[% END %]
 [% ELSE %]
     You did not specify any search criteria.
 [% END %]
-- 
1.7.2.5




More information about the Patches mailing list