From 624eb9e1f5f7ca87a6d8fbbaef0bbaa3dea3bc21 Mon Sep 17 00:00:00 2001 From: Katrin Fischer Date: Wed, 16 Aug 2017 13:52:07 +0200 Subject: [PATCH] Bug 19108: (follow-up) Fix Stored XSS in fieldmapping.pl and items_search_fields.pl To test: - Add a framework with script in the description - Access the Keywords to MARC mapping page - Add an item search field where both name and label are script - Try to edit/delete the added mapping With the patch no script should be executed and everything should still work ok. Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../intranet-tmpl/prog/en/modules/admin/fieldmapping.tt | 6 +++--- .../prog/en/modules/admin/items_search_fields.tt | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt index 238555a1b5..7e2f07370c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt @@ -25,7 +25,7 @@ $(document).ready(function() {

Keyword to MARC mapping

[% UNLESS ( fields.count ) %] -

There are no mappings for the [% IF framework.frameworktext %][% framework.frameworktext %][% ELSE %]default[% END %] framework.

+

There are no mappings for the [% IF framework.frameworktext %][% framework.frameworktext |html %][% ELSE %]default[% END %] framework.

[% END %]
@@ -33,9 +33,9 @@ $(document).ready(function() { [% FOREACH f IN frameworks %] [% IF f.frameworkcode == framework.frameworkcode %] - + [% ELSE %] - + [% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt index 0904553259..6e12b1b1bd 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt @@ -77,8 +77,8 @@ [% field.tagsubfield %] [% field.authorised_values_category %] - Edit - Delete + Edit + Delete [% END %]