From 52fe1238915bf88fbb5f048029b67250e59409a0 Mon Sep 17 00:00:00 2001 From: Liz Date: Mon, 5 Jan 2015 02:32:32 +0000 Subject: [PATCH] Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves A specially crafted url causes XSS in Koha To test: cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves These should cause a popup without the patch. With the patch, no popup. You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't have permission to view them. Signed-off-by: Chris Fixes the two listed problems Signed-off-by: Katrin Fischer Confirmed patch fixes the problem. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi --- .../en/modules/opac-downloadshelf.tt | 4 +- .../bootstrap/en/modules/opac-shelves.tt | 46 +++++++++---------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt index 87df1da1f4..128cec2e1c 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt @@ -55,7 +55,7 @@ [% FOREACH csv_profile IN csv_profiles %] - + [% END %] Required @@ -64,7 +64,7 @@
- Cancel + Cancel
[% IF ( modal ) %] diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt index f39b2c5ad0..4b929d2626 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt @@ -156,10 +156,10 @@
New list | - Download list + Download list [% IF Koha.Preference( 'opacuserlogin' ) == 1 %] - Send list + Send list [% END %] Print list @@ -169,30 +169,30 @@
- +
- + [% IF ( showprivateshelves ) %] [% END %]
[% IF showprivateshelves && Koha.Preference('OpacAllowSharingPrivateLists') %] - Share list + Share list [% END %] [% ELSIF showprivateshelves # not manageshelf and private means shared %] [% INCLUDE remove_share %] - + [% END # / IF manageshelf %]
- + + [% END %]
@@ -485,13 +485,13 @@ - +
- + [% IF ( showprivateshelves ) %] [% END %] @@ -511,13 +511,13 @@ [% END # / IF viewshelf %] [% IF ( itemsloop && allowremovingitems ) %] - + - +
[% ELSIF ( !itemsloop && manageshelf ) %]
- + @@ -528,7 +528,7 @@ - +
Editing [% shelfname |html %]
    @@ -588,9 +588,9 @@
    [% IF ( showprivateshelves ) %] - Cancel + Cancel [% ELSE %] - Cancel + Cancel [% END %]
    @@ -644,7 +644,7 @@ [% IF ( shelveslooppri.mine ) %]
    - + @@ -652,22 +652,22 @@ - - + + [% IF ( shelveslooppri.confirm ) %] - + [% ELSE %] [% END %]
    [% IF Koha.Preference('OpacAllowSharingPrivateLists') %] - Share + Share [% END %] [% ELSE # not shelveslooppri.mine, so shared %] [% INCLUDE remove_share # if pref is off, you should still be able to remove shares %] - - + + [% END %]