From 17210e096b0009c4a891944085c5cdc33a100d9c Mon Sep 17 00:00:00 2001
From: Dan Scott <dscott@laurentian.ca>
Date: Wed, 26 Apr 2017 00:19:42 -0400
Subject: [PATCH] LP#1478128: Avoid XSS in public catalog

This patch escapes various GET param values by passing them through
the Template Toolkit html filter, including:

* in the locale picker
* in the searchbar
* in the login form

Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 Open-ILS/src/templates/opac/parts/locale_picker.tt2 | 2 +-
 Open-ILS/src/templates/opac/parts/login/form.tt2    | 2 +-
 Open-ILS/src/templates/opac/parts/searchbar.tt2     | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index 12019cdddd..2ba56c0350 100644
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -10,7 +10,7 @@
     <label for="locale_picker">[% l("Language:") %]</label>
     [%- FOREACH param IN CGI.params(); -%]
         [%- NEXT IF param.key == 'set_eg_locale'; -%]
-        <input type="hidden" name="[% param.key %]" value="[% param.value %]" />
+        <input type="hidden" name="[% param.key | html %]" value="[% param.value | html %]" />
     [%- END; -%]
     <select id="locale_picker" name="set_eg_locale">
     [%- FOREACH locale IN ctx.locales.keys %]
diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 23e38c6e12..f357e8a29e 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -49,7 +49,7 @@
             END;
                 redirect = redirect  | replace('^http:', 'https:');
             %]
-            <input type='hidden' name='redirect_to' value='[% redirect %]'/>
+            <input type='hidden' name='redirect_to' value='[% redirect | html %]'/>
             <input type="checkbox" name="persist" id="login_persist" /><label for="login_persist"> [% l('Stay logged in?') %]</label>
             <input type="submit" value="[% l('Log in') %]" alt="[% l('Log in') %]" class="opac-button" />
         </div>
diff --git a/Open-ILS/src/templates/opac/parts/searchbar.tt2 b/Open-ILS/src/templates/opac/parts/searchbar.tt2
index ddf68cf3ec..587f485ea7 100644
--- a/Open-ILS/src/templates/opac/parts/searchbar.tt2
+++ b/Open-ILS/src/templates/opac/parts/searchbar.tt2
@@ -124,7 +124,7 @@ END;
             FOR p IN CGI.params.keys;
                 NEXT UNLESS p.match('^fi:');
                 FOR pv IN CGI.params.$p;
-                    %]<input type="hidden" name="[% p %]" value="[% pv %]" />[%
+                    %]<input type="hidden" name="[% p | html %]" value="[% pv | html %]" />[%
                 END;
             END;
         END %]
@@ -133,9 +133,9 @@ END;
             number_of_expert_rows = CGI.param('tag').list.size;
             index = 0;
             WHILE index < number_of_expert_rows %]
-                <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index %]" />
-                <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index %]" />
-                <input type="hidden" name="term" value="[% CGI.param('term').list.$index %]" />
+                <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index | html %]" />
+                <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index | html %]" />
+                <input type="hidden" name="term" value="[% CGI.param('term').list.$index | html %]" />
                 [% index = index + 1; %]
             [% END %]
         [% END %]
-- 
2.43.2