Bug 17022: Fix XSS in circ/branchtransfers.pl
Test plan:
Enter the following in the barcode input:
<script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
This commit is contained in:
Brendan Gallagher
parent
eb543a9084
commit
c63d0b311b
1 changed files with 3 additions and 3 deletions
|
|
@ -40,7 +40,7 @@
|
|||
<input type="hidden" name="itemnumber" value="[% itemnumber %]" />
|
||||
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
|
||||
[% IF ( waiting ) %]
|
||||
<input type="hidden" name="barcode" value="[% barcode %]" />
|
||||
<input type="hidden" name="barcode" value="[% barcode | html %]" />
|
||||
<input type="hidden" name="request" value="KillWaiting" />
|
||||
<input type="submit" value="Cancel" />
|
||||
[% END %]
|
||||
|
|
@ -64,7 +64,7 @@
|
|||
<input type="hidden" name="biblionumber" value="[% biblionumber %]" />
|
||||
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
|
||||
<input type="hidden" name="tobranchcd" value="[% tobranchcd %]" />
|
||||
<input type="hidden" name="barcode" value="[% barcode %]" />
|
||||
<input type="hidden" name="barcode" value="[% barcode | html %]" />
|
||||
<input type="hidden" name="request" value="KillReserved" />
|
||||
<input type="submit" value="Cancel" />
|
||||
</form>
|
||||
|
|
@ -107,7 +107,7 @@
|
|||
<ul>
|
||||
[% FOREACH errmsgloo IN errmsgloop %]
|
||||
[% IF ( errmsgloo.errbadcode ) %]
|
||||
<li>No Item with barcode: [% errmsgloo.msg %]</li>
|
||||
<li>No Item with barcode: [% errmsgloo.msg | html %]</li>
|
||||
[% END %]
|
||||
[% IF ( errmsgloo.errispermanent ) %]
|
||||
<li>Please return item to home library: [% errmsgloo.msg %]</li>
|
||||
|
|
|
|||
Loading…
Reference in a new issue