Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 19108: (follow-up) Fix Stored XSS in fieldmapping.pl and items_search_fields.pl

Browse source 
To test:
- Add a framework with script in the description
- Access the Keywords to MARC mapping page
- Add an item search field where both name and label are script
- Try to edit/delete the added mapping

With the patch no script should be executed and everything
should still work ok.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This commit is contained in:
Katrin Fischer 2017-08-16 13:52:07 +02:00 committed by Jonathan Druart
parent a482880352
commit 624eb9e1f5
2 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt
View file

@ -25,7 +25,7 @@ $(document).ready(function() {
<div class="yui-b"> <div class="yui-b">
<h2>Keyword to MARC mapping</h2> <h2>Keyword to MARC mapping</h2>
[% UNLESS ( fields.count ) %] [% UNLESS ( fields.count ) %]
<div class="dialog message"><p>There are no mappings for the [% IF framework.frameworktext %]<em>[% framework.frameworktext %]</em>[% ELSE %]default[% END %] framework. </p></div> <div class="dialog message"><p>There are no mappings for the [% IF framework.frameworktext %]<em>[% framework.frameworktext |html %]</em>[% ELSE %]default[% END %] framework. </p></div>
[% END %] [% END %]
<form method="get" action="/cgi-bin/koha/admin/fieldmapping.pl" id="selectframework"> <form method="get" action="/cgi-bin/koha/admin/fieldmapping.pl" id="selectframework">
<label for="framework">Framework:</label> <label for="framework">Framework:</label>
@ -33,9 +33,9 @@ $(document).ready(function() {
<option value="">Default</option> <option value="">Default</option>
[% FOREACH f IN frameworks %] [% FOREACH f IN frameworks %]
[% IF f.frameworkcode == framework.frameworkcode %] [% IF f.frameworkcode == framework.frameworkcode %]
<option selected="selected" value="[% f.frameworkcode %]">[% f.frameworktext %]</option> <option selected="selected" value="[% f.frameworkcode %]">[% f.frameworktext |html %]</option>
[% ELSE %] [% ELSE %]
<option value="[% f.frameworkcode %]">[% f.frameworktext %]</option> <option value="[% f.frameworkcode %]">[% f.frameworktext |html %]</option>
[% END %] [% END %]
[% END %] [% END %]
</select> </select>

4
koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt
View file

@ -77,8 +77,8 @@
<td>[% field.tagsubfield %]</td> <td>[% field.tagsubfield %]</td>
<td>[% field.authorised_values_category %]</td> <td>[% field.authorised_values_category %]</td>
<td> <td>
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/items_search_field.pl?name=[% field.name %]" title="Edit [% field.name %] field"><i class="fa fa-pencil"></i> Edit</a> <a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/items_search_field.pl?name=[% field.name |html %]" title="Edit [% field.name |html %] field"><i class="fa fa-pencil"></i> Edit</a>
<a class="field-delete btn btn-default btn-xs" href="/cgi-bin/koha/admin/items_search_fields.pl?op=del&name=[% field.name %]"><i class="fa fa-trash"></i> Delete</a> <a class="field-delete btn btn-default btn-xs" href="/cgi-bin/koha/admin/items_search_fields.pl?op=del&name=[% field.name |html %]"><i class="fa fa-trash"></i> Delete</a>
</td> </td>
</tr> </tr>
[% END %] [% END %]