[Bug 33144] New: Authority lookup in advanced editor overencodes HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Bug ID: 33144 Summary: Authority lookup in advanced editor overencodes HTML Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Cataloging Assignee: koha-bugs@lists.koha-community.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org CC: jonathan.druart+koha@gmail.com, m.de.rooy@rijksmuseum.nl Depends on: 26102 Bug 26102 prevented XSS via malicious authority records (which would have been fun to exploit), but it did it by creating an HTML entity-encoded string and then handing it to a function which expected to get text, not HTML. As a result, if you look up the authority record for Simon & Schuster Audio (Firm) from the advanced editor, you wind up putting Simon & Schuster Audio (Firm) in your bib record. Steps to reproduce: 1. Set EnableAdvancedCatalogingEditor to Enable 2. Edit any Topical Term authority record, and at the end of 150 subfield a add (without the newlines, just offsetting it for easy copying) & Stuff </script><script>alert('boo ❤')</script> 3. Cataloging - Advanced Editor 4. Hit return in the editor to get a new line, type 650 and press tab three times, then Ctrl+Shift+L 5. Search for the authority you edited, click Choose Expected result: The editor should show 650 _ 4 ‡aAbduction & Stuff </script><script>alert('boo ❤')</script>‡vDrama. since that's the text of the authority you selected Actual result: The editor shows 650 _ 4 ‡aAbduction & Stuff </script> <script>alert('boo ❤');</script>‡vDrama. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26102 [Bug 26102] Javascript injection in intranet search -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 --- Comment #1 from Phil Ringnalda <phil@chetcolibrary.org> --- Created attachment 147776 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=147776&action=edit Bug 33144: Unescape text from authority lookup for advanced editor While the basic editor is happy with an array of subfields it can stuff into separate fields, the advanced editor needs to get a JS string back from the authority lookup plugin, because it is going to just add the whole thing as text. The string has to be HTML entity encoded, both to not allow XSS and just to not break the window, but it needs to then be unencoded before being inserted into the editor. Test plan: 1. Set the system preference EnableAdvancedCatalogingEditor to Enable 2. Edit any Topical Term authority, and at the end of tag 150 subfield a, add & </script> 3. Cataloging - Advanced editor 4. Press return in the editor to get a new blank line, type 650 and press tab three times, then type Ctrl-Shift-L 5. Search for your modified authority, and click Choose 6. Verify that the tiny popup opened by the search window finished its job and closed itself 7. Verify that your 650 now shows as "‡aAbduction & </script>‡vDrama" rather than "‡aAbduction & </script>‡vDrama." -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 --- Comment #2 from Phil Ringnalda <phil@chetcolibrary.org> --- I'm no expert in assessing the XSS risks of code copy-pasted from Stack Overflow, but I've been reading Wladimir's writing on security and running his code for years, so I'd trust https://stackoverflow.com/questions/1912501/unescape-html-entities-in-javasc... and in fact we already do that same thing in https://git.koha-community.org/Koha-community/Koha/src/commit/fe872b792037ee... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |phil@chetcolibrary.org |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #147776|0 |1 is obsolete| | --- Comment #3 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- Created attachment 147817 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=147817&action=edit Bug 33144: Unescape text from authority lookup for advanced editor While the basic editor is happy with an array of subfields it can stuff into separate fields, the advanced editor needs to get a JS string back from the authority lookup plugin, because it is going to just add the whole thing as text. The string has to be HTML entity encoded, both to not allow XSS and just to not break the window, but it needs to then be unencoded before being inserted into the editor. Test plan: 1. Set the system preference EnableAdvancedCatalogingEditor to Enable 2. Edit any Topical Term authority, and at the end of tag 150 subfield a, add & </script> 3. Cataloging - Advanced editor 4. Press return in the editor to get a new blank line, type 650 and press tab three times, then type Ctrl-Shift-L 5. Search for your modified authority, and click Choose 6. Verify that the tiny popup opened by the search window finished its job and closed itself 7. Verify that your 650 now shows as "‡aAbduction & </script>‡vDrama" rather than "‡aAbduction & </script>‡vDrama." Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |katrin.fischer@bsz-bw.de |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #147817|0 |1 is obsolete| | --- Comment #4 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 148038 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=148038&action=edit Bug 33144: Unescape text from authority lookup for advanced editor While the basic editor is happy with an array of subfields it can stuff into separate fields, the advanced editor needs to get a JS string back from the authority lookup plugin, because it is going to just add the whole thing as text. The string has to be HTML entity encoded, both to not allow XSS and just to not break the window, but it needs to then be unencoded before being inserted into the editor. Test plan: 1. Set the system preference EnableAdvancedCatalogingEditor to Enable 2. Edit any Topical Term authority, and at the end of tag 150 subfield a, add & </script> 3. Cataloging - Advanced editor 4. Press return in the editor to get a new blank line, type 650 and press tab three times, then type Ctrl-Shift-L 5. Search for your modified authority, and click Choose 6. Verify that the tiny popup opened by the search window finished its job and closed itself 7. Verify that your 650 now shows as "‡aAbduction & </script>‡vDrama" rather than "‡aAbduction & </script>‡vDrama." Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |23.05.00 released in| | Status|Passed QA |Pushed to master -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 --- Comment #5 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 23.05. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Jacob O'Mara <jacob.omara@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|23.05.00 |23.05.00,22.11.04 released in| | Status|Pushed to master |Pushed to stable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 --- Comment #6 from Jacob O'Mara <jacob.omara@ptfs-europe.com> --- Nice work, thanks everyone! Pushed to 22.11.x for the next release. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable Version(s)|23.05.00,22.11.04 |23.05.00,22.11.04,22.05.12 released in| | CC| |lucas@bywatersolutions.com --- Comment #7 from Lucas Gass <lucas@bywatersolutions.com> --- Backported to 22.05.x for upcoming 22.05.12 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arthur.suzuki@biblibre.com Version(s)|23.05.00,22.11.04,22.05.12 |23.05.00,22.11.04,22.05.12, released in| |21.11.20 Status|Pushed to oldstable |Pushed to oldoldstable --- Comment #8 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- applied to 21.11.x for 21.11.20 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 wainuiwitikapark@catalyst.net.nz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wainuiwitikapark@catalyst.n | |et.nz --- Comment #9 from wainuiwitikapark@catalyst.net.nz --- Not backported to 21.05.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Pushed to oldoldstable |RESOLVED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org