diff --git a/VERSIONS_HOTLINE/120623 b/VERSIONS_HOTLINE/120623
new file mode 100644
index 0000000000000000000000000000000000000000..3f049216440819c8bced73168e42342e1fb375c5
--- /dev/null
+++ b/VERSIONS_HOTLINE/120623
@@ -0,0 +1 @@
+ - ticket #120623 : Alerte Injection XSS sur MIOP
\ No newline at end of file
diff --git a/application/modules/opac/controllers/RechercheController.php b/application/modules/opac/controllers/RechercheController.php
index 2b4c61221555b398319f44a52a04c223182873d7..e76982ca2c4a009b66568a302e05d85f4f2e7489 100644
--- a/application/modules/opac/controllers/RechercheController.php
+++ b/application/modules/opac/controllers/RechercheController.php
@@ -397,7 +397,9 @@ class RechercheController extends ZendAfi_Controller_Action {
$this->view->url_panier = $this->view->url(['controller' => 'panier',
'action' => 'add-record-ajax',
- 'id_notice' => $id_notice]);
+ 'id_notice' => $id_notice],
+ null,
+ true);
$this->_helper->trackEvent('recherche',
'notice',
diff --git a/application/modules/opac/views/scripts/footer.phtml b/application/modules/opac/views/scripts/footer.phtml
index 538d261427e798e12958e91b18705b975dac58a2..35dedfc51a0cb5c544e0d5cb90fa5be1318c11db 100644
--- a/application/modules/opac/views/scripts/footer.phtml
+++ b/application/modules/opac/views/scripts/footer.phtml
@@ -13,10 +13,10 @@
// Combo des profils pour les admins
if(Class_Users::getLoader()->isCurrentUserCanAccesBackend()) {
echo '<td style="text-align:center; white-space: nowrap">';
- echo $this->tagAnchor(['module' => 'admin',
- 'controller' => 'profil',
- 'action' => 'accueil',
- 'id_profil' => $profil->getId()],
+ echo $this->tagAnchor($this->url(['module' => 'admin',
+ 'controller' => 'profil',
+ 'action' => 'accueil',
+ 'id_profil' => $profil->getId()], null, true),
$this->tagImg(URL_ADMIN_IMG.'ico/edit.gif',
['alt' => $this->_("Paramétrer cette page"),
diff --git a/library/Class/Notice/NavigationRecherche.php b/library/Class/Notice/NavigationRecherche.php
index 7714ae0b08c319ff5188f23745870775426374c6..a8952315fc8dcbb809b3fe79bc6f67b77ce4b1b3 100644
--- a/library/Class/Notice/NavigationRecherche.php
+++ b/library/Class/Notice/NavigationRecherche.php
@@ -43,6 +43,12 @@ class Class_Notice_NavigationRecherche {
}
+ public function getCurrentNoticeUrl() {
+ return array_merge($this->_criteres_recherche->getUrlCriteres(),
+ ['id' => $this->_current_notice->getId()]);
+ }
+
+
public function getNoticeAtOffset($offset) {
return Class_Notice::find($this->getNoticeIdAtOffset($offset));
}
diff --git a/library/ZendAfi/Form.php b/library/ZendAfi/Form.php
index 277b0a00a57935adc39a390983b4805f0e3a7d78..ab255af92fd235d2b754de1b1654132a945a74c8 100644
--- a/library/ZendAfi/Form.php
+++ b/library/ZendAfi/Form.php
@@ -22,7 +22,8 @@
class ZendAfi_Form extends Zend_Form {
use Trait_Translator;
- protected $_text_size = 40,
+ protected
+ $_text_size = 40,
$_num_size = 4,
$_summary;
diff --git a/library/ZendAfi/View/Helper/Admin/FrontNavEntries.php b/library/ZendAfi/View/Helper/Admin/FrontNavEntries.php
index 16c86bf23a10dec4b3a6c692cfd0824b292e5467..8fe1ab3bc976ea00b63b9a3606ec2e66d4522241 100644
--- a/library/ZendAfi/View/Helper/Admin/FrontNavEntries.php
+++ b/library/ZendAfi/View/Helper/Admin/FrontNavEntries.php
@@ -392,10 +392,12 @@ class ZendAfi_View_Helper_Admin_FrontNavEntries extends ZendAfi_View_Helper_Base
$id = $this->_user->getId();
$name = $this->_user->getNomAff();
$anchors = [$this->_tag('li',
- $this->view->tagAnchor(['module' => 'admin',
- 'controller' => 'users',
- 'action' => 'edit',
- 'id' => $id],
+ $this->view->tagAnchor($this->view->url(['module' => 'admin',
+ 'controller' => 'users',
+ 'action' => 'edit',
+ 'id' => $id],
+ null,
+ true),
$name,
['class' => 'menu_admin_front_anchor',
'title' => $this->_('Accéder à la page de modification de mon compte administrateur'),
@@ -428,6 +430,7 @@ class ZendAfi_View_Helper_Admin_FrontNavEntries extends ZendAfi_View_Helper_Base
->addUniqDisplayGroup('group')
->populate(['admin_menu_change_profile' => $this->_profile_id]);
- return $this->view->renderForm($form->setAction('/'));
+ return $this->view->renderForm($form->setAction('/'),
+ ZendAfi_View_Helper_RenderForm::NO_BUTTONS);
}
}
\ No newline at end of file
diff --git a/library/ZendAfi/View/Helper/Notice/Abstract.php b/library/ZendAfi/View/Helper/Notice/Abstract.php
index a045265f3adf1befe9ccec1393b7203afe1972db..b183a0d6c724a9eb8920db987abeb47b2a910f8f 100644
--- a/library/ZendAfi/View/Helper/Notice/Abstract.php
+++ b/library/ZendAfi/View/Helper/Notice/Abstract.php
@@ -33,7 +33,9 @@ abstract class ZendAfi_View_Helper_Notice_Abstract extends Zend_View_Helper_Html
in_array($rubrique, ['avis', 'exemplaires']) ? 1 : 0,
$this->view->absoluteUrl(['controller' => 'noticeajax',
'action' => $rubrique,
- 'id' => $notice->getId()]));
+ 'id' => $notice->getId()],
+ null,
+ true));
}
protected function getUrl($rubrique, $notice) {
diff --git a/library/ZendAfi/View/Helper/Notice/Navigation.php b/library/ZendAfi/View/Helper/Notice/Navigation.php
index ea23940a91f685f6df2b62ac7d15974ec9a7e103..16b55a516f195f0d55368bd518a410308b6eae63 100644
--- a/library/ZendAfi/View/Helper/Notice/Navigation.php
+++ b/library/ZendAfi/View/Helper/Notice/Navigation.php
@@ -16,13 +16,16 @@
*
* You should have received a copy of the GNU AFFERO GENERAL PUBLIC LICENSE
* along with BOKEH; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
class ZendAfi_View_Helper_Notice_Navigation extends Zend_View_Helper_HtmlElement {
- protected $_html;
+ protected
+ $_notice_navigation,
+ $_html;
public function Notice_Navigation($notice_navigation) {
+ $this->_notice_navigation = $notice_navigation;
$notice_navigation->acceptVisitor($this);
return '<div>'.$this->_html.'</div>';
}
@@ -30,9 +33,10 @@ class ZendAfi_View_Helper_Notice_Navigation extends Zend_View_Helper_HtmlElement
public function renderNoticePrecedente() {
$libelle_precedent = $this->view->_('Document précédent');
- $this->_html .= $this->view->tagAnchor(['navigation' => 'precedent'],
+ $this->_html .= $this->view->tagAnchor(
+ $this->_getNavigationUrl('precedent'),
$libelle_precedent,
- ['title'=>$libelle_precedent,
+ ['title' => $libelle_precedent,
'id' => 'previousrecord']);
return $this;
}
@@ -41,14 +45,23 @@ class ZendAfi_View_Helper_Notice_Navigation extends Zend_View_Helper_HtmlElement
public function renderNoticeSuivante() {
$libelle_suivant = $this->view->_('Document suivant');
- $this->_html .= $this->view->tagAnchor(['navigation' => 'suivant'],
+ $this->_html .= $this->view->tagAnchor($this->_getNavigationUrl('suivant'),
$libelle_suivant,
- ['title'=>$libelle_suivant,
+ ['title' => $libelle_suivant,
'id' => 'nextrecord']);
return $this;
}
+ protected function _getNavigationUrl($direction) {
+ return $this->view->url(
+ array_merge($this->_notice_navigation->getCurrentNoticeUrl(),
+ ['navigation' => $direction]),
+ null,
+ true);
+ }
+
+
public function visitPosition($position, $total) {
if ($position > 1) $this->renderNoticePrecedente();
$this->renderPosition($position, $total);
diff --git a/library/ZendAfi/View/Helper/ReseauxSociaux.php b/library/ZendAfi/View/Helper/ReseauxSociaux.php
index 4938a514584a4dcd60a2a1eb3ad0f73701c6dfde..e884fe84401872e3bbe7b7ad3fb74411d87c5f98 100644
--- a/library/ZendAfi/View/Helper/ReseauxSociaux.php
+++ b/library/ZendAfi/View/Helper/ReseauxSociaux.php
@@ -134,7 +134,9 @@ class ZendAfi_View_Helper_ReseauxSociaux extends ZendAfi_View_Helper_BaseHelper
'url' => $url_table['url'],
'titre' => $url_table['titre'],
'message'=> $url_table['message'],
- 'img_url' => $url_table['img_url']]);
+ 'img_url' => $url_table['img_url']],
+ null,
+ true);
}
diff --git a/library/ZendAfi/View/Helper/UrlNotice.php b/library/ZendAfi/View/Helper/UrlNotice.php
index fa96b19eeff9d6c781b2df34a4ac93f23c953fdb..e2e3a4ba8ec623ca2ddc227a53888b77db797bc7 100644
--- a/library/ZendAfi/View/Helper/UrlNotice.php
+++ b/library/ZendAfi/View/Helper/UrlNotice.php
@@ -23,7 +23,7 @@ class ZendAfi_View_Helper_UrlNotice extends Zend_View_Helper_HtmlElement {
/**
* @param mixed $notice array or Class_Notice
*/
- public function urlNotice($notice, $preferences = [], $name = null, $reset = false) {
+ public function urlNotice($notice, $preferences = [], $name = null, $reset = true) {
if (!$notice)
return $this->view->url(['module' => 'opac',
'controller'=>'recherche',
diff --git a/tests/scenarios/Security/SearchTest.php b/tests/scenarios/Security/SearchTest.php
index 2abc0f040144d24d2081212a3f67f5da5864791d..2eae8e20cff46d02da3d6bcbc6b37bf9c77df3e0 100644
--- a/tests/scenarios/Security/SearchTest.php
+++ b/tests/scenarios/Security/SearchTest.php
@@ -140,3 +140,38 @@ class Security_SearchTest extends AbstractControllerTestCase {
$this->dispatch('/recherche/simple/facettes/A2983%27%2F%2A%2A%2FIN%2F%2A%2A%2FBOOLEAN%2F%2A%2A%2FMODE%29%29%2F%2A%2A%2Fand%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%2842%3D30%29%2F%2A%2A%2FTHEN%2F%2A%2A%2FSLEEP%2815%29%2F%2A%2A%2FELSE%2F%2A%2A%2F1314%2F%2A%2A%2FEND%29%2F%2A%2A%2Fand%2F%2A%2A%2F%28MATCH%28facettes%29%2F%2A%2A%2FAGAINST%28%27%2BA2983');
}
}
+
+
+
+
+class SearchViewNoticeTest extends AbstractControllerTestCase {
+ protected $_storm_default_to_volatile = true;
+
+ public function setUp() {
+ parent::setUp();
+ $this->fixture('Class_Notice',
+ ['id' => 1,
+ 'unimarc' => file_get_contents(ROOT_PATH.'/tests/fixtures/dvd_potter.uni')
+ ]);
+
+ $this->dispatch('/recherche/viewnotice/id/1/%27%3bqxss(document.cookie)%3b%27');
+ }
+
+
+ /** @test */
+ public function jsParamInUrlShouldNotBeInjectedInInfoBlocs() {
+ $this->assertNotXPathContentContains('//script', 'qxss(document.cookie)');
+ }
+
+
+ /** @test */
+ public function pageShouldNotContainsAnyQXSS() {
+ $this->assertNotContains('qxss(', $this->_response->getBody());
+ }
+
+
+ /** @test */
+ public function pageShouldContainsinfoBlocsScript() {
+ $this->assertXPathContentContains('//script', 'infos_bloc');
+ }
+}
\ No newline at end of file