Koha-community
/
Koha
13
5
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Bug 19612: Fix XSS in members/memberentry.pl 

To Test
1. Hit the page /cgi-bin/koha/members/memberentry.pl
2. Add a text in the field address, address2, city, state, country,
   zipcode, B_streetnumber, B_city, B_country, B_zipcode that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
18.05.x
Amit Gupta 7 years ago
committed by Jonathan Druart
parent
feeab2b3a0
commit
e0e063a85b
3 changed files with 18 additions and 18 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      koha-tmpl/intranet-tmpl/prog/en/includes/member-display-address-style-us.inc
  2. 8
      koha-tmpl/intranet-tmpl/prog/en/includes/member-display-alt-address-style-us.inc
  3. 20
      koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt

8
koha-tmpl/intranet-tmpl/prog/en/includes/member-display-address-style-us.inc
View File

@ -4,13 +4,13 @@
[% IF streettype %]
[% SET roadtype_desc = AuthorisedValues.GetByCode('ROADTYPE', streettype) %]
[% END %]
<li class="patronaddress1">[% if (streetnumber) %][% streetnumber %][% end %] [% address %] [% IF roadtype_desc %][% roadtype_desc %] [% END %][% end %]</li>
<li class="patronaddress1">[% if (streetnumber) %][% streetnumber |html %][% end %] [% address |html %] [% IF roadtype_desc %][% roadtype_desc |html %] [% END %][% end %]</li>
[% END %]
[% IF ( address2 ) %]
<li class="patronaddress2">[% address2 %]</li>
<li class="patronaddress2">[% address2 |html %]</li>
[% END %]
[% END %]
[% IF ( city ) %]<li class="patroncity">
[% city %][% IF ( state ) %], [% state %][% END %]
[% zipcode %][% IF ( country ) %], [% country %][% END %]</li>
[% city |html %][% IF ( state ) %], [% state |html %][% END %]
[% zipcode |html %][% IF ( country ) %], [% country |html %][% END %]</li>
[% END %]

8
koha-tmpl/intranet-tmpl/prog/en/includes/member-display-alt-address-style-us.inc
View File

@ -4,13 +4,13 @@
[% IF B_streettype %]
[% SET roadtype_desc = AuthorisedValues.GetByCode('ROADTYPE', B_streettype) %]
[% END %]
<li class="patronaddress1">[% if (B_streetnumber) %][% B_streetnumber %][% end %] [% B_address %] [% IF roadtype_desc %][% roadtype_desc %] [% END %][% end %]</li>
<li class="patronaddress1">[% if (B_streetnumber) %][% B_streetnumber |html %][% end %] [% B_address |html %] [% IF roadtype_desc %][% roadtype_desc |html %] [% END %][% end %]</li>
[% END %]
[% IF ( B_address2 ) %]
<li class="patronaddress2">[% B_address2 %]</li>
<li class="patronaddress2">[% B_address2 |html %]</li>
[% END %]
[% END %]
[% IF ( B_city ) %]<li class="patroncity">
[% B_city %][% IF ( B_state ) %], [% B_state %][% END %]
[% B_zipcode %][% IF ( B_country ) %], [% B_country %][% END %]</li>
[% B_city |html %][% IF ( B_state ) %], [% B_state |html %][% END %]
[% B_zipcode |html %][% IF ( B_country ) %], [% B_country |html %][% END %]</li>
[% END %]

20
koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt
View File

@ -238,11 +238,11 @@ function validate1(date) {
[% IF ( phone ) %]<li><span class="label">Primary phone: </span><a href="tel:[% phone %]">[% phone | html %]</a></li>[% END %]
[% IF ( phonepro ) %]<li><span class="label">Secondary phone: </span><a href="tel:[% phonepro %]">[% phonepro | html %]</a></li>[% END %]
[% IF ( mobile ) %]<li><span class="label">Other phone: </span><a href="tel:[% mobile %]">[% mobile | html %]</a></li>[% END %]
[% IF ( fax ) %]<li><span class="label">Fax: </span>[% fax %]</li>[% END %]
[% IF ( fax ) %]<li><span class="label">Fax: </span>[% fax |html %]</li>[% END %]
[% IF ( email ) %]<li class="email"><span class="label">Primary email:</span><a title="[% email %]" href="mailto:[% email | url %]">[% email | html %]</a></li>[% END %]
[% IF ( emailpro ) %]<li class="email"><span class="label">Secondary email: </span><a title="[% emailpro %]" href="mailto:[% emailpro | url %]">[% emailpro | html %]</a></li>[% END %]
[% UNLESS ( I ) %]
[% IF ( initials ) %]<li><span class="label">Initials: </span>[% initials %]</li>[% END %]
[% IF ( initials ) %]<li><span class="label">Initials: </span>[% initials | html %]</li>[% END %]
[% IF ( dateofbirth ) %]<li><span class="label">Date of birth:</span>[% dateofbirth | $KohaDates %] ([% age %] years)</li>[% END %]
[% IF ( sex ) %]<li><span class="label">Gender:</span>
[% IF ( sex == 'F' ) %]Female[% ELSIF ( sex == 'M' ) %]Male[% ELSE %][% sex %][% END %]
@ -422,9 +422,9 @@ function validate1(date) {
[% END %]
</li>
[% IF ( sort1 ) %]<li><span class="label">Sort field 1:</span>[% AuthorisedValues.GetByCode('Bsort1', sort1) %]</li>[% END %]
[% IF ( sort2 ) %]<li><span class="label">Sort field 2:</span>[% AuthorisedValues.GetByCode('Bsort2', sort2) %]</li>[% END %]
<li><span class="label">Username: </span>[% userid %]</li>
[% IF ( sort1 ) %]<li><span class="label">Sort field 1:</span>[% AuthorisedValues.GetByCode('Bsort1', sort1) |html %]</li>[% END %]
[% IF ( sort2 ) %]<li><span class="label">Sort field 2:</span>[% AuthorisedValues.GetByCode('Bsort2', sort2) |html %]</li>[% END %]
<li><span class="label">Username: </span>[% userid |html %]</li>
<li><span class="label">Password: </span>
[% IF ( password ) %]
*******
@ -432,8 +432,8 @@ function validate1(date) {
<span class="problem"><a href="/cgi-bin/koha/members/member-password.pl?member=[% borrowernumber %]">Undefined</a></span>
[% END %]
</li>
[% IF ( borrowernotes ) %]<li><span class="label">Circulation note: </span>[% borrowernotes %]</li>[% END %]
[% IF ( opacnote ) %]<li><span class="label">OPAC note:</span>[% opacnote %]</li>[% END %]
[% IF ( borrowernotes ) %]<li><span class="label">Circulation note: </span>[% borrowernotes |html %]</li>[% END %]
[% IF ( opacnote ) %]<li><span class="label">OPAC note:</span>[% opacnote |html %]</li>[% END %]
[% IF Koha.Preference( 'NorwegianPatronDBEnable' ) == 1 %]
[% IF ( sync == 1 ) %]
<li><span class="label">Activate sync: </span>Yes</li>
@ -475,9 +475,9 @@ function validate1(date) {
[% END %]
<div class="rows"> <ol>
[% IF ( B_phone ) %]<li><span class="label">Phone: </span><a href="tel:[% B_phone %]">[% B_phone %]</a></li>[% END %]
[% IF ( B_email ) %]<li class="email"><span class="label">Email: </span><a title="[% B_email %]" href="mailto:[% B_email %]">[% B_email %]</a></li>[% END %]
[% IF ( contactnote ) %]<li><span class="label">Contact note: </span> [% contactnote %]</li>[% END %]
[% IF ( B_phone ) %]<li><span class="label">Phone: </span><a href="tel:[% B_phone %]">[% B_phone |html %]</a></li>[% END %]
[% IF ( B_email ) %]<li class="email"><span class="label">Email: </span><a title="[% B_email %]" href="mailto:[% B_email | url %]">[% B_email |html %]</a></li>[% END %]
[% IF ( contactnote ) %]<li><span class="label">Contact note: </span> [% contactnote |html %]</li>[% END %]
</ol>
</div>
</div>

Write Preview
Loading…
Cancel
Save