Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 17021: Fix XSS in circ/returns.pl

Browse source 
Test plan:
Enter the following in the barcode input:
<script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This commit is contained in:
Jonathan Druart 2016-07-28 13:01:43 +01:00 committed by Kyle M Hall
parent 1ea1504c30
commit 12b4c83f5a
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
koha-tmpl/intranet-tmpl/prog/en/modules/circ/returns.tt
View file

@ -282,7 +282,7 @@ $(document).ready(function () {
<input type="hidden" name="itemnumber" value="[% itemnumber %]" />
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
<input type="hidden" name="biblionumber" value="[% itembiblionumber %]" />
<input type="hidden" name="resbarcode" value="[% barcode %]" />
<input type="hidden" name="resbarcode" value="[% barcode | html %]" />
<input type="hidden" name="diffBranch" value="[% destbranch %]" />
<input type="hidden" name="exemptfine" value="[% exemptfine %]" />
<input type="hidden" name="dropboxmode" value="[% dropboxmode %]" />
@ -447,7 +447,7 @@ $(document).ready(function () {
<input type="hidden" name="itemnumber" value="[% itemnumber %]" />
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
<input type="hidden" name="biblionumber" value="[% itembiblionumber %]" />
<input type="hidden" name="resbarcode" value="[% barcode %]" />
<input type="hidden" name="resbarcode" value="[% barcode | html %]" />
<input type="hidden" name="diffBranch" value="[% destbranch %]" />
<input type="hidden" name="exemptfine" value="[% exemptfine %]" />
<input type="hidden" name="dropboxmode" value="[% dropboxmode %]" />
@ -484,7 +484,7 @@ $(document).ready(function () {
</p>
[% END %]
[% IF ( errmsgloo.badbarcode ) %]
<p class="problem">No item with barcode: [% errmsgloo.msg %]</p>
<p class="problem">No item with barcode: [% errmsgloo.msg | html %]</p>
[% END %]
[% IF ( errmsgloo.ispermanent ) %]
<p class="problem">Please return item to: [% errmsgloo.msg %]</p>