Bug 19127: Fix Stored XSS in csv-profiles.pl

To Test 1. Hit the page /cgi-bin/koha/tools/csv-profiles.pl?op=add_form 2. Add a text in the field Profile name, Profile description and Profile MARC fields that contains js 3. Save the page. 4. Notice js is execute 5. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-16 17:56:17 +05:30 · 2017-08-16 17:56:17 +05:30 · b90662073f
commit b90662073f
parent 914577fdb7
1 changed files with 3 additions and 3 deletions
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/csv-profiles.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/csv-profiles.tt
@ -279,9 +279,9 @@ function reloadPage(p) {
                [% FOREACH csv_profile IN csv_profiles %]
                <tr>
                    <td>[% csv_profile.export_format_id %]</td>
-                    <td>[% csv_profile.profile %]</td>
-                    <td>[% csv_profile.description %]</td>
-                    <td>[% csv_profile.content %]</td>
+                    <td>[% csv_profile.profile |html %]</td>
+                    <td>[% csv_profile.description |html %]</td>
+                    <td>[% csv_profile.content |html %]</td>
                    <td>[% csv_profile.csv_separator %]</td>
                    <td>[% PROCESS type_description type_code = csv_profile.type %]</td>
                    <td>[% PROCESS used_for_description used_for_code = csv_profile.used_for %]</td>