Browse Source

Bug 19125: Fix Stored XSS in members.pl

In preparation to test this patch:
- Add a patron list named <script>alert("patron list")</script>
- Add a library named <script>alert("library")</script>
- Add a patron category named <script>alert("patron category")</script>

To test:
- Access patron search page and do a search
- Verify that the alerts added above are executed
- Apply patch
- Verify that no alerts are displayed

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
17.11.x
Katrin Fischer 5 years ago
committed by Jonathan Druart
parent
commit
2d30845601
  1. 2
      koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers.inc
  2. 6
      koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc
  3. 4
      koha-tmpl/intranet-tmpl/prog/en/includes/patron-toolbar.inc
  4. 6
      koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt

2
koha-tmpl/intranet-tmpl/prog/en/includes/html_helpers.inc

@ -3,7 +3,7 @@
[% IF l.selected %]
<option value="[% l.branchcode | html %]" selected="selected">[% l.branchname %]</option>
[% ELSE %]
<option value="[% l.branchcode | html %]">[% l.branchname %]</option>
<option value="[% l.branchcode | html %]">[% l.branchname |html %]</option>
[% END%]
[% END %]
[% END %]

6
koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc

@ -94,7 +94,7 @@
[% IF b.selected %]
<option value="[% b.branchcode %]" selected="selected">[% b.branchname %]</option>
[% ELSE %]
<option value="[% b.branchcode %]">[% b.branchname %]</option>
<option value="[% b.branchcode %]">[% b.branchname |html %]</option>
[% END %]
[% END %]
</select>
@ -107,9 +107,9 @@
<option value="">Any</option>
[% FOREACH category IN categories %]
[% IF category.categorycode == categorycode_filter %]
<option value="[% category.categorycode %]" selected="selected">[% category.description %]</option>
<option value="[% category.categorycode %]" selected="selected">[% category.description |html %]</option>
[% ELSE %]
<option value="[% category.categorycode %]">[% category.description %]</option>
<option value="[% category.categorycode %]">[% category.description |html %]</option>
[% END %]
[% END %]
</select>

4
koha-tmpl/intranet-tmpl/prog/en/includes/patron-toolbar.inc

@ -7,14 +7,14 @@
<div class="btn-group">
<button class="btn btn-default btn-sm dropdown-toggle" data-toggle="dropdown"><i class="fa fa-plus"></i> New patron <span class="caret"></span></button>
<ul class="dropdown-menu">
[% FOREACH category IN categories %]<li><a href="/cgi-bin/koha/members/memberentry.pl?op=add&amp;categorycode=[% category.categorycode %]">[% category.description %]</a></li>[% END %]
[% FOREACH category IN categories %]<li><a href="/cgi-bin/koha/members/memberentry.pl?op=add&amp;categorycode=[% category.categorycode %]">[% category.description |html %]</a></li>[% END %]
</ul>
</div>
[% IF Koha.Preference('PatronQuickAddFields') || Koha.Preference('BorrowerMandatoryField') %]
<div class="btn-group">
<button class="btn btn-default btn-sm dropdown-toggle" data-toggle="dropdown"><i class="fa fa-plus"></i> Quick add new patron <span class="caret"></span></button>
<ul class="dropdown-menu">
[% FOREACH category IN categories %]<li><a href="/cgi-bin/koha/members/memberentry.pl?op=add&amp;categorycode=[% category.categorycode %]&amp;quickadd=true">[% category.description %]</a></li>[% END %]
[% FOREACH category IN categories %]<li><a href="/cgi-bin/koha/members/memberentry.pl?op=add&amp;categorycode=[% category.categorycode %]&amp;quickadd=true">[% category.description |html %]</a></li>[% END %]
</ul>
</div>
[% END %]

6
koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt

@ -373,7 +373,7 @@ function filterByFirstLetterSurname(letter) {
[% IF patron_lists %]
<optgroup label="Patron lists:">
[% FOREACH pl IN patron_lists %]
<option value="[% pl.patron_list_id %]">[% pl.name %]</option>
<option value="[% pl.patron_list_id %]">[% pl.name |html %]</option>
[% END %]
</optgroup>
[% END %]
@ -497,9 +497,9 @@ function filterByFirstLetterSurname(letter) {
<option value="">Any</option>
[% FOREACH cat IN categories %]
[% IF cat.categorycode == categorycode_filter %]
<option selected="selected" value="[% cat.categorycode %]">[% cat.description %]</option>
<option selected="selected" value="[% cat.categorycode %]">[% cat.description |html %]</option>
[% ELSE %]
<option value="[% cat.categorycode %]">[% cat.description %]</option>
<option value="[% cat.categorycode %]">[% cat.description |html %]</option>
[% END %]
[% END %]
</select>

Loading…
Cancel
Save