Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 13609: Cross Site Scripting problem in authority search result list paging

Browse source 
To test:
- Use an installation a reasonable amount of authorities, so that you can
  have a search result list with more than one page
- Activate OpacAuthorities
- Create an OPAC link like shown below, verify that an alert is shown
- Apply patch
- Refresh the page and no alert should appear
- Verify the paging still works correctly for 'numbers' and 'arrows'

URL:
.../cgi-bin/koha/opac-authorities-home.pl?and_or=and&marclist=match&op=do_search&operator=contains&orderby=HeadingAsc2"><script>prompt(987898)</script>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This commit is contained in:
Katrin Fischer 2015-01-22 14:41:09 +01:00 committed by Tomas Cohen Arazi
parent da6ee1c469
commit c667b9ddbf
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-authoritiessearchresultlist.tt
View file

@ -6,7 +6,7 @@
<ul>
[% IF ( displayprev ) %]
<li>
<a href="opac-authorities-home.pl?startfrom=[% startfromprev %]&amp;[% FOREACH searchdat IN searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby %]">
<a href="opac-authorities-home.pl?startfrom=[% startfromprev %]&amp;[% FOREACH searchdat IN searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby|html %]">
&laquo;
</a>
</li>
@ -15,12 +15,12 @@
[% IF ( number.highlight ) %]
<li class="active"><a href="#">[% number.number %]</a></li>
[% ELSE %]
<li><a href="opac-authorities-home.pl?startfrom=[% number.startfrom %]&amp;[% FOREACH searchdat IN number.searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby %]">[% number.number %]</a></li>
<li><a href="opac-authorities-home.pl?startfrom=[% number.startfrom %]&amp;[% FOREACH searchdat IN number.searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby|html %]">[% number.number %]</a></li>
[% END %]
[% END %]
[% IF ( displaynext ) %]
<li>
<a href="opac-authorities-home.pl?startfrom=[% startfromnext %]&amp;[% FOREACH searchdat IN searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]&amp;resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby %]">&raquo;</a>
<a href="opac-authorities-home.pl?startfrom=[% startfromnext %]&amp;[% FOREACH searchdat IN searchdata %][% searchdat.term %]=[% searchdat.val |url %]&amp;[% END %]&amp;resultsperpage=[% resultsperpage %]&amp;type=opac&amp;op=do_search&amp;authtypecode=[% authtypecode %]&amp;orderby=[% orderby|html %]">&raquo;</a>
</li>
[% END %]
</ul>