Ignore:
Timestamp:
2019-11-25T20:08:31+13:00 (5 years ago)
Author:
ak19
Message:

Implemented Dr Bainbridge's suggestions based on Kathy's solution to preventing script elements in queries (like a close script tag, open script tag, alert(1), close script tag) from ending up live when a search is performed.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone3/web/interfaces/default/transform/javascript-global-setup.xsl

    r33544 r33720  
    3434            <xsl:for-each select="/page/pageRequest/paramList/param">
    3535                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    36                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(@value)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     36                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(@value)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    3737                <xsl:text disable-output-escaping="yes">name = name.replace(".", "_");</xsl:text>
    3838                gs.cgiParams[name] = value;             
     
    7777            <xsl:for-each select="/page/pageResponse/metadataList/metadata">
    7878                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    79                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     79                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    8080                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    8181                addMetadataToList(name, value, gs.siteMetadata, lang);
     
    8484            <xsl:for-each select="/page/pageResponse/collection/metadataList/metadata">
    8585                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    86                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     86                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    8787                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    8888                addMetadataToList(name, value, gs.collectionMetadata, lang);
     
    9191            <xsl:for-each select="/page/pageResponse/document/metadataList/metadata">
    9292                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    93                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     93                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    9494                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    9595                addMetadataToList(name, value, gs.documentMetadata, lang);
     
    103103                <xsl:for-each select="metadataList/metadata">
    104104                    <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    105                     <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     105                    <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    106106                    <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    107107                    addMetadataToList(name, value, metaList, lang);
Note: See TracChangeset for help on using the changeset viewer.