Bug 17029: Fix XSS in catalogue/*detail.pl

Hit
  /cgi-bin/koha/catalogue/detail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/ISBDdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/MARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/moredetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
  /cgi-bin/koha/catalogue/labeledMARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

diff --git a/catalogue/ISBDdetail.pl b/catalogue/ISBDdetail.pl
index 37c739c..4e64484 100755 (executable)
--- a/catalogue/ISBDdetail.pl
+++ b/catalogue/ISBDdetail.pl
@@ -36,6 +36,7 @@ This script needs a biblionumber as parameter
 use strict;
 #use warnings; FIXME - Bug 2505
 
+use HTML::Entities;
 use C4::Auth;
 use C4::Context;
 use C4::Output;
@@ -56,6 +57,7 @@ my $query = new CGI;
 my $dbh = C4::Context->dbh;
 
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 
 # open template
 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(

diff --git a/catalogue/MARCdetail.pl b/catalogue/MARCdetail.pl
index ccf178e..63b41af 100755 (executable)
--- a/catalogue/MARCdetail.pl
+++ b/catalogue/MARCdetail.pl
@@ -45,11 +45,12 @@ the items attached to the biblio
 
 use strict;
 #use warnings; FIXME - Bug 2505
+use CGI qw ( -utf8 );
+use HTML::Entities;
 
 use C4::Auth;
 use C4::Context;
 use C4::Output;
-use CGI qw ( -utf8 );
 use C4::Koha;
 use MARC::Record;
 use C4::Biblio;
@@ -64,6 +65,7 @@ use List::MoreUtils qw( uniq );
 my $query        = new CGI;
 my $dbh          = C4::Context->dbh;
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $frameworkcode = $query->param('frameworkcode');
 $frameworkcode = GetFrameworkCode( $biblionumber ) unless ($frameworkcode);
 my $popup        =

diff --git a/catalogue/detail.pl b/catalogue/detail.pl
index 4917673..ebc138d 100755 (executable)
--- a/catalogue/detail.pl
+++ b/catalogue/detail.pl
@@ -19,6 +19,7 @@
 use Modern::Perl;
 
 use CGI qw ( -utf8 );
+use HTML::Entities;
 use C4::Acquisition qw( GetHistory );
 use C4::Auth;
 use C4::Koha;
@@ -58,6 +59,7 @@ my ( $template, $borrowernumber, $cookie, $flags ) = get_template_and_user(
 );
 
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $record       = GetMarcBiblio($biblionumber);
 
 if ( not defined $record ) {

diff --git a/catalogue/labeledMARCdetail.pl b/catalogue/labeledMARCdetail.pl
index 8ad2d22..7c488e0 100755 (executable)
--- a/catalogue/labeledMARCdetail.pl
+++ b/catalogue/labeledMARCdetail.pl
@@ -20,6 +20,7 @@
 use strict;
 use warnings;
 use CGI qw ( -utf8 ); 
+use HTML::Entities;
 use MARC::Record;
 use C4::Auth;
 use C4::Context;
@@ -34,6 +35,7 @@ use C4::Koha qw( GetFrameworksLoop );
 my $query        = new CGI;
 my $dbh          = C4::Context->dbh;
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $frameworkcode = $query->param('frameworkcode');
 $frameworkcode = GetFrameworkCode( $biblionumber ) unless ($frameworkcode);
 my $popup        =

diff --git a/catalogue/moredetail.pl b/catalogue/moredetail.pl
index ef9de77..7ba2fbe 100755 (executable)
--- a/catalogue/moredetail.pl
+++ b/catalogue/moredetail.pl
@@ -23,6 +23,7 @@ use strict;
 #use warnings; FIXME - Bug 2505
 use C4::Koha;
 use CGI qw ( -utf8 );
+use HTML::Entities;
 use C4::Biblio;
 use C4::Items;
 use C4::Branch;
@@ -66,6 +67,7 @@ my $hidepatronname = C4::Context->preference("HidePatronName");
 # get variables
 
 my $biblionumber=$query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $title=$query->param('title');
 my $bi=$query->param('bi');
 $bi = $biblionumber unless $bi;