[Koha-patches] [PATCH] kohabug 2026 - HTML-escape comments
Galen Charlton
galen.charlton at liblime.com
Thu May 1 00:09:14 CEST 2008
This is a partial, perhaps temporary fix. "<", ">",
and "&" characters in patron comments (AKA reviews)
are converted to "<", ">", and "&" to avoid
certain attacks, e.g., a user entering a <script> tag
in a comment.
A more permanent fix should scrub all (or perhaps just
unsafe) tags from submitted comments entirely.
---
.../prog/en/modules/reviews/reviewswaiting.tmpl | 2 +-
.../opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl | 4 ++--
.../opac-tmpl/prog/en/modules/opac-detail.tmpl | 4 ++--
.../opac-tmpl/prog/en/modules/opac-review.tmpl | 4 ++--
.../prog/en/modules/opac-showreviews.tmpl | 2 +-
5 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
index 0350135..8fbcd88 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reviews/reviewswaiting.tmpl
@@ -58,7 +58,7 @@ $.tablesorter.addParser({
<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber" -->"><!-- TMPL_VAR NAME="bibliotitle" --></a>
</td>
<td>
- <!-- TMPL_VAR NAME="review" -->
+ <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
</td>
<td>
<a href="/cgi-bin/koha/reviews/reviewswaiting.pl?op=approve&reviewid=<!-- TMPL_VAR NAME="reviewid" -->">Approve</a> |
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
index 1e36185..f892b4a 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-ISBDdetail.tmpl
@@ -129,7 +129,7 @@
<!--TMPL_VAR NAME="datereviewed"-->
</small>
<p>
- <!--TMPL_VAR NAME="review"-->
+ <!--TMPL_VAR NAME="review" ESCAPE="HTML"-->
</p>
<!--/TMPL_LOOP-->
<!-- TMPL_ELSE -->
@@ -185,4 +185,4 @@
</div>
<!-- TMPL_IF NAME="OpacNav" --><div class="yui-b"><!--TMPL_INCLUDE NAME="navigation.inc" --></div><!-- /TMPL_IF -->
</div>
-<!-- TMPL_INCLUDE NAME="opac-bottom.inc" -->
\ No newline at end of file
+<!-- TMPL_INCLUDE NAME="opac-bottom.inc" -->
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
index 7f4d51f..5537f4c 100755
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tmpl
@@ -410,7 +410,7 @@
</h5>
<small><!-- TMPL_VAR NAME="datereviewed" --></small>
<p>
- <!-- TMPL_VAR NAME="review" -->
+ <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
<a href="#" onclick="Dopop('/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&reviewid=<!-- TMPL_VAR NAME="reviewid" -->');">Edit</a>
</p></div>
<!-- TMPL_ELSE -->
@@ -423,7 +423,7 @@
</h5>
<small><!-- TMPL_VAR NAME="datereviewed" --></small>
<p>
- <!-- TMPL_VAR NAME="review" -->
+ <!-- TMPL_VAR NAME="review" ESCAPE="HTML" -->
</p></div>
<!-- /TMPL_IF -->
<!-- /TMPL_LOOP -->
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
index 146d60b..4528d71 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-review.tmpl
@@ -24,13 +24,13 @@
$('#reviewf').submit( function() {
<!-- TMPL_IF NAME="reviewid" -->
parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').prev("small").prev("h5").html("Your Edited Comment (preview, pending approval)");
- parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').html($("#review").val());
+ parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').html($("#review").val().replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>'));
parent.opener.$('#c<!-- TMPL_VAR NAME="reviewid" --> p').append(" <a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&reviewid=<!-- TMPL_VAR NAME="reviewid" -->\');\">Edit</a>");
window.close();
<!-- TMPL_ELSE -->
parent.opener.$('#newcomment').attr("class","yours");
parent.opener.$('#newcomment').html("<h5>Your Comment (preview, pending approval)</h5>");
- parent.opener.$('#newcomment').append("<p>"+$("#review").val());
+ parent.opener.$('#newcomment').append("<p>"+$("#review").val().replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>'));
parent.opener.$('#newcomment p').append(" <a href=\"#comment\" onclick=\"Dopop(\'/cgi-bin/koha/opac-review.pl?biblionumber=<!-- TMPL_VAR NAME="biblionumber"-->&reviewid=<!-- TMPL_VAR NAME="reviewid" -->\');\">Edit</a></p>");
parent.opener.$("#addcomment").prev("p").remove();
parent.opener.$("#addcomment").remove();
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl b/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
index 7e44348..4d3bf18 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-showreviews.tmpl
@@ -19,7 +19,7 @@
</tr>
<tr>
<td>
- <!--TMPL_VAR NAME="review"-->
+ <!--TMPL_VAR NAME="review" ESCAPE="HTML"-->
<p><!--TMPL_VAR NAME="datereviewed"--></p>
</td>
</tr>
--
1.5.5.rc0.16.g02b00
More information about the Koha-patches
mailing list