From 5235a46fa6e6c25763e8444a1e9e9c44cf441133 Mon Sep 17 00:00:00 2001 From: Jeff Davis Date: Mon, 1 Apr 2019 15:13:09 -0700 Subject: [PATCH 1/1] LP#1822630: further sanitizing of CGI params when embedded in HTML Signed-off-by: Jeff Davis Signed-off-by: Chris Sharp Signed-off-by: Jason Stephenson Signed-off-by: Galen Charlton --- Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 | 6 +++--- Open-ILS/src/templates/opac/parts/header.tt2 | 2 +- Open-ILS/src/templates/opac/parts/place_hold.tt2 | 2 +- Open-ILS/src/templates/opac/parts/place_hold_result.tt2 | 4 ++-- Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 index d5ba0f48ea..668b5fab3e 100644 --- a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 +++ b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 @@ -45,13 +45,13 @@ dojo.forEach(vendor_list, function(v) { // essential info for performing a transaction var ebook_action = {}; [%- IF CGI.param("action").defined %] -ebook_action.type = '[% CGI.param("action") %]'; +ebook_action.type = '[% CGI.param("action") | html %]'; [%- END -%] [%- IF CGI.param("title").defined %] -ebook_action.title_id = '[% CGI.param("title") %]'; +ebook_action.title_id = '[% CGI.param("title") | html %]'; [%- END -%] [%- IF CGI.param("vendor").defined %] -ebook_action.vendor = '[% CGI.param("vendor") %]'; +ebook_action.vendor = '[% CGI.param("vendor") | html %]'; [%- END -%] [% IF ctx.user %] diff --git a/Open-ILS/src/templates/opac/parts/header.tt2 b/Open-ILS/src/templates/opac/parts/header.tt2 index 76b2314187..5f397c3b7c 100644 --- a/Open-ILS/src/templates/opac/parts/header.tt2 +++ b/Open-ILS/src/templates/opac/parts/header.tt2 @@ -19,7 +19,7 @@ # parts/searchbar.tt2, and results.tt2. show_detail_view = 0; IF CGI.param("detail_record_view").defined; - show_detail_view = CGI.param("detail_record_view"); + show_detail_view = CGI.param("detail_record_view") | html; ELSIF show_more_details.default == "true" OR show_more_details.default == "hide"; show_detail_view = 1; diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2 index f2d1bba3bc..95ff9e2b29 100644 --- a/Open-ILS/src/templates/opac/parts/place_hold.tt2 +++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2 @@ -192,7 +192,7 @@ function maybeToggleNumCopies(obj) { [% l('Advanced Hold Options') %] [% END %] [% IF CGI.param('hold_type') == 'M' AND CGI.param('bre_id') %] - + [% l('Basic Hold Options') %] diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 index 009145aeb2..2f434bdc60 100644 --- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 +++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 @@ -148,10 +148,10 @@ function disable_submit() { [% END %] [% IF any_failures OR ctx.general_hold_error %] - [% l('Cancel') %] + [% l('Cancel') %] [% ELSE %]
- [% l('Continue') %] + [% l('Continue') %] [% IF ctx.is_staff %] [% IF CGI.param('hold_type') == 'C'; hold_type_label = l('copy'); diff --git a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 index ae2ef7a50c..35b2c77723 100644 --- a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 +++ b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 @@ -62,8 +62,8 @@ FOR filter IN ctx.query_struct.filters; [%- END; # IF locations -%] [%- IF pubdate_filters.grep('^' _ filter.name _ '$').size; - date1 = CGI.param('date1'); - date2 = CGI.param('date2'); + date1 = CGI.param('date1') | html; + date2 = CGI.param('date2') | html; -%]
-- 2.43.2