From b38535de56dfd8a909811bf9822c90e6d679fdf6 Mon Sep 17 00:00:00 2001
From: Dan Scott <dan@coffeecode.net>
Date: Wed, 17 Aug 2011 15:36:15 -0400
Subject: [PATCH] Escape TPAC "myopac" output to protect against XSS attacks

We're using the Template::Toolkit html and uri filters to ensure that
the usual suspects are escaped at output time to prevent trivial XSS
attacks.

berick: did some merge cleanup

Signed-off-by: Dan Scott <dscott@laurentian.ca>
---
 .../templates/default/opac/myopac/circ_history.tt2   |  8 ++++----
 Open-ILS/web/templates/default/opac/myopac/circs.tt2 | 12 ++++++------
 .../templates/default/opac/myopac/hold_history.tt2   |  2 +-
 Open-ILS/web/templates/default/opac/myopac/holds.tt2 |  2 +-
 .../web/templates/default/opac/myopac/holds/edit.tt2 |  8 ++++----
 Open-ILS/web/templates/default/opac/myopac/lists.tt2 | 10 +++++-----
 Open-ILS/web/templates/default/opac/myopac/main.tt2  |  6 +++---
 .../web/templates/default/opac/myopac/main_pay.tt2   |  2 +-
 .../default/opac/myopac/main_payment_form.tt2        |  4 ++--
 .../templates/default/opac/myopac/main_payments.tt2  |  6 +++++-
 Open-ILS/web/templates/default/opac/myopac/prefs.tt2 |  4 ++--
 .../templates/default/opac/myopac/prefs_notify.tt2   |  4 ++--
 .../templates/default/opac/myopac/prefs_settings.tt2 |  4 ++--
 .../templates/default/opac/myopac/receipt_email.tt2  |  8 +++++---
 .../templates/default/opac/myopac/receipt_print.tt2  |  2 +-
 .../templates/default/opac/myopac/update_email.tt2   |  4 +---
 .../default/opac/myopac/update_username.tt2          |  7 +++----
 17 files changed, 48 insertions(+), 45 deletions(-)

diff --git a/Open-ILS/web/templates/default/opac/myopac/circ_history.tt2 b/Open-ILS/web/templates/default/opac/myopac/circ_history.tt2
index a0955585c8..55bbc00bf9 100644
--- a/Open-ILS/web/templates/default/opac/myopac/circ_history.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/circ_history.tt2
@@ -71,9 +71,9 @@
                     <tr>
                         <td style="padding-left:5px;padding-bottom:10px;">
                             <a href="[% ctx.opac_root %]/record/[% circ.circ.target_copy.call_number.record.id %]" 
-                                name="[% l('Catalog record') %]">[% attrs.title %]</a>
+                                name="[% l('Catalog record') %]">[% attrs.title | html %]</a>
                             [% IF attrs.author %] /
-                            <a href="[% ctx.opac_root %]/results?qtype=author&amp;query=[% attrs.author | replace('[,\.:;]', '') | url %]">[% attrs.author %]</a>
+                            <a href="[% ctx.opac_root %]/results?qtype=author&amp;query=[% attrs.author | replace('[,\.:;]', '') | url %]">[% attrs.author | html %]</a>
                             [% END %]
                         </td>
                         <td style="padding-left:5px;">
@@ -90,8 +90,8 @@
                                 <span style='color:blue;'>*</span><!-- meh -->
                             [% END; %]
                         </td>
-                        <td>[% circ.circ.target_copy.barcode %]</td>
-                        <td>[% circ.circ.target_copy.call_number.label %]</td>
+                        <td>[% circ.circ.target_copy.barcode | html %]</td>
+                        <td>[% circ.circ.target_copy.call_number.label | html %]</td>
                     </tr>
                 [% END %]
             </tbody>
diff --git a/Open-ILS/web/templates/default/opac/myopac/circs.tt2 b/Open-ILS/web/templates/default/opac/myopac/circs.tt2
index 67f94b8747..107597b555 100644
--- a/Open-ILS/web/templates/default/opac/myopac/circs.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/circs.tt2
@@ -106,9 +106,9 @@
                         <td width="40%"
                             style="padding-left:5px;padding-bottom:10px;"
                             name="author">
-                            <a href="[% ctx.opac_root %]/record/[% circ.circ.target_copy.call_number.record.id %]" name="[% l('Catalog record') %]">[% attrs.title %]</a>
+                            <a href="[% ctx.opac_root %]/record/[% circ.circ.target_copy.call_number.record.id %]" name="[% l('Catalog record') %]">[% attrs.title | html %]</a>
                             [% IF attrs.author %] /
-                            <a href="[% ctx.opac_root %]/results?qtype=author&amp;query=[% attrs.author | replace('[,\.:;]', '') | url %]">[% attrs.author %]</a>
+                            <a href="[% ctx.opac_root %]/results?qtype=author&amp;query=[% attrs.author | replace('[,\.:;]', '') | url %]">[% attrs.author | html %]</a>
                             [% END %]
                         </td>
                         <td width="8%" name="renewals" align="center">
@@ -119,18 +119,18 @@
                             [% date.format(ctx.parse_datetime(circ.circ.due_date),DATE_FORMAT) %]
                         </td>
                         <td width="16%" name="barcode">
-                            [% circ.circ.target_copy.barcode %]
+                            [% circ.circ.target_copy.barcode | html %]
                         </td>
                         <td width="22%" name="call_number">
-                            [% circ.circ.target_copy.call_number.label %]
+                            [% circ.circ.target_copy.call_number.label | html %]
                         </td>
                     </tr>
                     [%  IF circ.renewal_response AND
                             circ.renewal_response.textcode != 'SUCCESS' %]
                     <tr>
                         <td colspan="6">[%# XXX colspan="0" does not work in IE %]
-                            <span class="failure-text" title="[% circ.renewal_response.textcode %] / [% circ.renewal_response.payload.fail_part %]">
-                                [% circ.renewal_response.desc || circ.renewal_response.payload.fail_part || circ.renewal_response.textcode %]
+                            <span class="failure-text" title="[% circ.renewal_response.textcode | html %] / [% circ.renewal_response.payload.fail_part | html %]">
+                                [% (circ.renewal_response.desc || circ.renewal_response.payload.fail_part || circ.renewal_response.textcode) | html %]
                             </span>
                         </td>
                     </tr>
diff --git a/Open-ILS/web/templates/default/opac/myopac/hold_history.tt2 b/Open-ILS/web/templates/default/opac/myopac/hold_history.tt2
index 43f32564ec..0419cd3021 100644
--- a/Open-ILS/web/templates/default/opac/myopac/hold_history.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/hold_history.tt2
@@ -81,7 +81,7 @@
                         </div>
                     </td>
                     <td width="136">
-                        [% ctx.get_aou(ahr.pickup_lib).name %]
+                        [% ctx.get_aou(ahr.pickup_lib).name | html %]
                     </td>
                     <td width="104">
                         [% IF ahr.frozen == 't' AND ahr.thaw_date;
diff --git a/Open-ILS/web/templates/default/opac/myopac/holds.tt2 b/Open-ILS/web/templates/default/opac/myopac/holds.tt2
index a6bb6709dc..7fac5063b5 100644
--- a/Open-ILS/web/templates/default/opac/myopac/holds.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/holds.tt2
@@ -154,7 +154,7 @@
                         </div>
                     </td>
                     <td width="136">
-                        [% ctx.get_aou(ahr.pickup_lib).name %]
+                        [% ctx.get_aou(ahr.pickup_lib).name | html %]
                     </td>
                     <td width="104">
                         <!-- <input
diff --git a/Open-ILS/web/templates/default/opac/myopac/holds/edit.tt2 b/Open-ILS/web/templates/default/opac/myopac/holds/edit.tt2
index 2fda76c044..f432697075 100644
--- a/Open-ILS/web/templates/default/opac/myopac/holds/edit.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/holds/edit.tt2
@@ -23,14 +23,14 @@
     </div>
     <div id="hold_editor">
         [% IF hold %]
-            <h1>[% attrs.title %]</h1>
-            <h2>[% attrs.author %]</h2>
+            <h1>[% attrs.title | html %]</h1>
+            <h2>[% attrs.author | html %]</h2>
             [% IF attrs.format_icon %]<p>
                 <strong>[% l('Format:') %]</strong>
-                <img src="[% ctx.media_prefix %]/images/[% attrs.format_icon %]" alt="[% attrs.format %]" title="[% attrs.title %]" />
+                <img src="[% ctx.media_prefix %]/images/[% attrs.format_icon %]" alt="[% attrs.format %]" title="[% attrs.title | html %]" />
             </p>[% END %]
             <p>
-                <strong>[% l('Status') %]</strong>: [% hold.human_status %]
+                <strong>[% l('Status') %]</strong>: [% hold.human_status | html %]
             </p>
             <form method="POST">
                 <table id="hold_editor_table">
diff --git a/Open-ILS/web/templates/default/opac/myopac/lists.tt2 b/Open-ILS/web/templates/default/opac/myopac/lists.tt2
index ba8d556360..87aec45d73 100644
--- a/Open-ILS/web/templates/default/opac/myopac/lists.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/lists.tt2
@@ -80,9 +80,9 @@
                     <big><strong>
                     [% IF bbag.pub == 't' %]
                         [% url = 'http://' _ ctx.hostname _ '/opac/extras/feed/bookbag/html-full/' _ bbag.id %]
-                        <a target='_blank' href='[% url %]'>[% bbag.name %]</a>
+                        <a target='_blank' href='[% url %]'>[% bbag.name | html %]</a>
                     [% ELSE %]
-                    [% bbag.name %]
+                    [% bbag.name | html %]
                     [% END %]
                     </strong></big>
                 </div>
@@ -131,9 +131,9 @@
                         attrs = {marc_xml => ctx.bookbags_marc_xml.$rec_id};
                         PROCESS get_marc_attrs args=attrs %]
                     <tr>
-                        <td class="opac-auto-097b" style="padding-left: 10px;"><input type="checkbox" name="del_item" value="[% item.id %]" bbag='[% bbag.id %]'/></td>
-                        <td class="opac-auto-097b" style="padding-left: 5px;">[% attrs.title %]</td>
-                        <td class="opac-auto-097b">[% attrs.author %]</td>
+                        <td class="item_list_padding" style="padding-left: 10px;"><input type="checkbox" name="del_item" value="[% item.id %]" bbag='[% bbag.id %]'/></td>
+                        <td class="item_list_padding" style="padding-left: 5px;">[% attrs.title | html %]</td>
+                        <td class="item_list_padding">[% attrs.author | html %]</td>
                     </tr>
                     [% END %]
                 </tbody>
diff --git a/Open-ILS/web/templates/default/opac/myopac/main.tt2 b/Open-ILS/web/templates/default/opac/myopac/main.tt2
index 354b5b07db..818d75c099 100644
--- a/Open-ILS/web/templates/default/opac/myopac/main.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/main.tt2
@@ -41,13 +41,13 @@
                     <td>
                         [% recid = f.xact.circulation.target_copy.call_number.record.id || f.xact.reservation.target_resource_type.record.id;
                         IF recid; %]
-                        <a href="[% ctx.opac_root %]/record/[% recid %]">[% attrs.title %]</a>
+                        <a href="[% ctx.opac_root %]/record/[% recid %]">[% attrs.title | html %]</a>
                         [% ELSE %]
-                        [% attrs.title %]
+                        [% attrs.title | html %]
                         [% END %]
                     </td>
                     <td>
-                        <a href="[% ctx.opac_root %]/results?qtype=author&amp;query=[% attrs.author | replace('[,\.:;]', '') | url %]">[% attrs.author %]</a>
+                        <a href="[% ctx.opac_root %]/results?qtype=author&amp;query=[% attrs.author | replace('[,\.:;]', '') | url %]">[% attrs.author | html %]</a>
                     </td>
                     <td name='myopac_circ_trans_start'>
                         [% ts = f.xact.circulation.xact_start || f.xact.reservation.start_time || 0;
diff --git a/Open-ILS/web/templates/default/opac/myopac/main_pay.tt2 b/Open-ILS/web/templates/default/opac/myopac/main_pay.tt2
index ac68b6e786..e1cfcbdd12 100644
--- a/Open-ILS/web/templates/default/opac/myopac/main_pay.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/main_pay.tt2
@@ -37,7 +37,7 @@
                     (ctx.printable_receipt.textcode ? ctx.printable_receipt.textcode _ ' / ' _ ctx.printable_receipt.desc : 0) ||
                     ctx.printable_receipt.error_output.data ||
                     l('No receipt data returned from server')
-                ) %]
+                ) | html %]
         </div>
         [% END %]
         <p>[ <a href="[% ctx.opac_root %]/myopac/main">[%
diff --git a/Open-ILS/web/templates/default/opac/myopac/main_payment_form.tt2 b/Open-ILS/web/templates/default/opac/myopac/main_payment_form.tt2
index 52534d2a69..55cf8232c6 100644
--- a/Open-ILS/web/templates/default/opac/myopac/main_payment_form.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/main_payment_form.tt2
@@ -59,7 +59,7 @@
                                     attrs.title = f.xact.reservation.target_resource_type.name;
                                 END %]
                                 <tr>
-                                    <td>[% attrs.title %]</td>
+                                    <td>[% attrs.title | html %]</td>
                                     <td class="text-right">[% money(f.xact.balance_owed) %]</td>
                                 </tr>
                             [%
@@ -68,7 +68,7 @@
                                 NEXT IF CGI.param('xact_misc').size &&
                                     !CGI.param('xact_misc').grep(f.xact.id).size %]
                                 <tr>
-                                    <td>[% f.xact.last_billing_type %]</td>
+                                    <td>[% f.xact.last_billing_type | html %]</td>
                                     <td class="text-right">[% money(f.xact.balance_owed) %]</td>
                                 </tr>
                             [% END %]
diff --git a/Open-ILS/web/templates/default/opac/myopac/main_payments.tt2 b/Open-ILS/web/templates/default/opac/myopac/main_payments.tt2
index 0a3b192f11..80755fbe40 100644
--- a/Open-ILS/web/templates/default/opac/myopac/main_payments.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/main_payments.tt2
@@ -32,7 +32,11 @@
             [% FOR payment IN ctx.payments %]
             <tr>
                 <td>[% date.format(ctx.parse_datetime(payment.mp.payment_ts), DATE_FORMAT) %]</td>
-                <td>[% (payment.xact_type == 'grocery') ? payment.last_billing_type : payment.title %]</td>
+                <td>[% 
+                    btype = payment.last_billing_type | html;
+                    ptitle = payment.title | html;
+                    (payment.xact_type == 'grocery') ? btype : ptitle
+                %]</td>
                 <td>[% money(payment.mp.amount) %]</td>
                 <td>
                     <form action="[% ctx.opac_root %]/myopac/receipt_print" method="POST">
diff --git a/Open-ILS/web/templates/default/opac/myopac/prefs.tt2 b/Open-ILS/web/templates/default/opac/myopac/prefs.tt2
index 8ceeec3c42..17783b3777 100644
--- a/Open-ILS/web/templates/default/opac/myopac/prefs.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/prefs.tt2
@@ -198,7 +198,7 @@
             <tr>
                 <td class='color_4 light_border'>
                 [% l("Home Library") %]</td>
-                <td class='light_border'>[% ctx.user.home_ou.name %]</td>
+                <td class='light_border'>[% ctx.user.home_ou.name | html %]</td>
                 <td><a href='#'
                    class="hide_me"
                    style='text-decoration: underline;'>[% l("Change") %]</a></td>
@@ -255,7 +255,7 @@
                                 IF addr.pending == "t";
                                     "<strong>" _ l("*** PENDING ***") _ "</strong> ";
                                 END;
-                                addr.address_type | lower | ucfirst;
+                                addr.address_type | lower | ucfirst | html ;
                             %]</td>
                         </tr>
                         <tr>
diff --git a/Open-ILS/web/templates/default/opac/myopac/prefs_notify.tt2 b/Open-ILS/web/templates/default/opac/myopac/prefs_notify.tt2
index 14a824e605..da3d520c81 100644
--- a/Open-ILS/web/templates/default/opac/myopac/prefs_notify.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/prefs_notify.tt2
@@ -21,10 +21,10 @@
             [% END %]
             [% FOR optin IN ctx.opt_in_settings %]
                 <tr>
-                    <td>[% optin.cust.label %]</td>
+                    <td>[% optin.cust.label | html %]</td>
                     <td>
                         <input type='checkbox' name='setting' 
-                            value='[% optin.cust.name %]' 
+                            value='[% optin.cust.name | uri %]' 
                             [% IF optin.value %] checked='checked' [% END %]/>
                     </td>
                 </tr>
diff --git a/Open-ILS/web/templates/default/opac/myopac/prefs_settings.tt2 b/Open-ILS/web/templates/default/opac/myopac/prefs_settings.tt2
index fda86fe614..e664e91b22 100644
--- a/Open-ILS/web/templates/default/opac/myopac/prefs_settings.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/prefs_settings.tt2
@@ -37,9 +37,9 @@
                         [% setting = 'opac.hits_per_page' %]
                         <select name='[% setting %]'>
                             [%  FOR val IN [5, 8, 10, 15, 20, 25, 50] %]
-                                <option value='[% val %]' 
+                                <option value='[% val | uri %]' 
                                     [% IF ctx.user_setting_map.$setting == val %]
-                                        selected='selected'[% END %]>[% val %]</option>
+                                        selected='selected'[% END %]>[% val | html %]</option>
                             [% END %]
                         </select>
                     </td>
diff --git a/Open-ILS/web/templates/default/opac/myopac/receipt_email.tt2 b/Open-ILS/web/templates/default/opac/myopac/receipt_email.tt2
index 51acccb439..3745e5fbae 100644
--- a/Open-ILS/web/templates/default/opac/myopac/receipt_email.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/receipt_email.tt2
@@ -5,12 +5,14 @@
     [% IF ctx.email_receipt_result; # result should be undef on success %]
     <div class="payment-error">
         [% l('Error preparing receipt:') %]
-        <span title="[% ctx.email_receipt_result.textcode %]">
-            [% ctx.email_receipt_result.desc %]
+        <span title="[% ctx.email_receipt_result.textcode | html %]">
+            [% ctx.email_receipt_result.desc | html %]
         </span>
     </div>
     [% ELSE %]
-    <div>[% l('Your receipt will be emailed to [_1]', ctx.user.email) %]</div>
+    <div>
+        [% l('Your receipt will be emailed to [_1]', ctx.user.email) | html %]
+    </div>
     [% END %]
     <p>
         [ <a href="[% ctx.opac_root %]/myopac/main_payments">[%
diff --git a/Open-ILS/web/templates/default/opac/myopac/receipt_print.tt2 b/Open-ILS/web/templates/default/opac/myopac/receipt_print.tt2
index 766f9b5e8b..fe6849502b 100644
--- a/Open-ILS/web/templates/default/opac/myopac/receipt_print.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/receipt_print.tt2
@@ -15,7 +15,7 @@
                     (ctx.printable_receipt.textcode ? ctx.printable_receipt.textcode _ ' / ' _ ctx.printable_receipt.desc : 0) ||
                     ctx.printable_receipt.error_output.data ||
                     l('No receipt data returned from server')
-                ) %]
+                ) | html %]
         </div>
         [% END %]
         <hr />
diff --git a/Open-ILS/web/templates/default/opac/myopac/update_email.tt2 b/Open-ILS/web/templates/default/opac/myopac/update_email.tt2
index a6e62ecb00..6bbedf2edd 100644
--- a/Open-ILS/web/templates/default/opac/myopac/update_email.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/update_email.tt2
@@ -6,9 +6,7 @@
 
 [% IF ctx.invalid_email %]
     <div id='account-update-email-error'>
-        [% | l(ctx.invalid_email) %]
-        The email address "<b>[_1]</b>" is invalid.  Please try a different email address.
-        [% END %]
+        [% l('The email address "<b>[_1]</b>" is invalid.  Please try a different email address.', ctx.invalid_email) | html %]
     </div>
 [% END %]
 
diff --git a/Open-ILS/web/templates/default/opac/myopac/update_username.tt2 b/Open-ILS/web/templates/default/opac/myopac/update_username.tt2
index 129491729f..017d753abf 100644
--- a/Open-ILS/web/templates/default/opac/myopac/update_username.tt2
+++ b/Open-ILS/web/templates/default/opac/myopac/update_username.tt2
@@ -6,14 +6,13 @@
 
 [% IF ctx.invalid_username %]
     <div id='account-update-email-error'> <!-- borrow css from update-email page -->
-        [% | l(ctx.invalid_username) %]
-        "<b>[_1]</b>" is not a valid username.  Usernames cannot have any spaces.  Please try a different username.
-        [% END %]
+        [% l('"<b>[_1]</b>" is not a valid username.  Usernames cannot have any spaces.  Please try a different username.', ctx.invalid_username) | html %]
     </div>
 
 [% ELSIF ctx.username_exists %]
     <div id='account-update-email-error'>
-        [% | l(ctx.username_exists) %]
+        [% bad_user = ctx.username_exists | html %]
+        [% | l(bad_user) %]
         The username "<b>[_1]</b>" is taken.  Please try a different username.
         [% END %]
     </div>
-- 
2.43.2