Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/includes
History
Jonathan Druart 1ea1504c30 Bug 17025: Fix XSS in serials-search.pl 
Test plan:
Hit
  /serials/serials-search.pl?ISSN_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1
  /serials/serials-search.pl?title_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:17:19 +00:00
..
catalogue Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
csv_headers Bug 11371 - Add a new report : Orders by fund with more options 2016-04-29 12:20:25 +00:00
virtualshelves/merge
acquisitions-add-to-basket.inc
acquisitions-menu.inc Bug 16474: Standardize spelling of EDIFACT 2016-05-12 16:12:23 -06:00
acquisitions-search.inc Bug 16557 - Remove the use of "onclick" from several include files 2016-06-24 13:51:01 +00:00
acquisitions-toolbar.inc Bug 16005 - Standardize use of icons for delete and cancel operations 2016-06-03 08:21:25 +00:00
additem.js.inc
admin-items-search-field-form.inc Bug 15887: Revise layout and behavior of item search fields management 2016-03-02 22:36:17 +00:00
admin-menu.inc Bug 16298: Standardize on "Patron categories" when referring to patron category administration 2016-04-29 15:29:11 +00:00
adv-search.inc Bug 16549 - Remove the use of "onclick" from header search forms 2016-06-24 13:48:24 +00:00
auth-finder-search.inc Bug 16005 - Standardize use of icons for delete and cancel operations 2016-06-03 08:21:25 +00:00
authorities-search-results.inc Bug 16677 - Use abbr for authorities linked headings 2016-07-08 14:28:07 +00:00
authorities-search.inc Bug 16549 - Remove the use of "onclick" from header search forms 2016-06-24 13:48:24 +00:00
authorities-toolbar.inc Bug 16005 - Standardize use of icons for delete and cancel operations 2016-06-03 08:21:25 +00:00
authorities.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
authorities_js.inc
av-build-dropbox.inc Bug 16157: Move the selected flag from GetAuthorisedValues to the templates 2016-04-07 00:16:09 +00:00
biblio-default-view.inc
biblio-view-menu.inc Bug 17024: Fix XSS in tools/viewlog.pl 2016-08-04 18:16:21 +00:00
blocked-fines.inc Bug 16810: Fines note not showing on checkout 2016-07-15 14:13:33 +00:00
borrower_debarments.inc Bug 16888: (follow-up)Add Font Awesome Icons to Members 2016-07-15 18:02:48 +00:00
branch-selector.inc Bug 16548 - All libraries selected on Tools -> Export Data screen 2016-05-30 11:17:28 +00:00
browser-strings.inc
budgets-active-currency.inc Bug 15049: (followup) Add warning about "No active currency" 2015-12-30 23:34:34 +00:00
budgets-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
budgets-admin-toolbar.inc Bug 15009: QA follow-up 2016-04-29 13:00:21 +00:00
calendar.inc Bug 12072: Make datepicker and templates to be aware of dmydot format 2015-11-19 13:15:19 -03:00
cat-menu.inc
cat-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
cat-toolbar.inc Bug 13642 - Adding new features for Dublin Core metadata 2016-01-27 06:23:07 +00:00
cataloging-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
cateditor-ui.inc Bug 15974: Rancor: Correctly select existing authorized value 2016-07-22 17:09:01 +00:00
cateditor-widgets-marc21.inc Bug 11559: (followup) Fix import bugs, display/parsing issues 2015-10-27 12:18:00 -03:00
checkin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
checkouts-table-footer.inc Bug 14948 - Display amounts right aligned in tables on patron pages 2015-12-30 04:25:51 +00:00
checkouts-table.inc Bug 12920 [QA Followup] - Show override option below checkouts table when allowed 2016-02-24 03:10:20 +00:00
circ-menu.inc Bug 16127 - Add discharge menu item to patron toolbar 2016-06-17 15:21:56 +00:00
circ-patron-search-results.inc Bug 16462 - Change default sorting of circulation patron search results to patron name 2016-06-24 13:05:02 +00:00
circ-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
cities-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
columns_settings.inc Bug 15921: Do not include datatables js/css files twice 2016-03-24 15:50:02 +00:00
contracts-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
currencies-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
datatables.inc Bug 16242 - Move staff client JavaScript out of language directory 2016-04-29 14:32:42 +00:00
date-format.inc Bug 12072: Make datepicker and templates to be aware of dmydot format 2015-11-19 13:15:19 -03:00
doc-head-close-receipt.inc Bug 16241 - Move staff client CSS out of language directory 2016-04-29 13:54:37 +00:00
doc-head-close.inc Bug 16490 - Add an "add to cart" link for each search results in the staff client 2016-06-24 13:45:41 +00:00
doc-head-open.inc Bug 13948: Prevent explosion when Template::Plugin::Stash not installed 2015-07-28 10:30:21 -03:00
empty_line.inc Bug 14263: Fix export of item search results when translated 2015-06-04 10:08:40 -03:00
facets.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
form-blocks.inc
format_price.inc Bug 16768: (followup) Add Swiss format for datatables (format_price.inc) 2016-06-24 14:00:03 +00:00
greybox.inc
guided-reports-view.inc
header.inc Bug 16324: Move item search into header 2016-07-08 14:19:35 +00:00
help-bottom.inc Bug 16557 - Remove the use of "onclick" from several include files 2016-06-24 13:51:01 +00:00
help-top.inc Bug 16553 - Incorrect path to jQueryUI file in help template 2016-05-23 17:17:16 +00:00
home-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
installer-doc-head-close.inc Bug 16241 - Move staff client CSS out of language directory 2016-04-29 13:54:37 +00:00
intranet-bottom.inc Bug 11431: Add additional sound options 2015-11-04 12:32:57 -03:00
intranetstylesheet.inc Bug 16241 - Move staff client CSS out of language directory 2016-04-29 13:54:37 +00:00
labels-toolbar.inc Bug 14915: (QA followup) Switch recent commits from Glyphicons to Font Awesome 2015-10-27 10:04:53 -03:00
letters-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
member-alt-address-style-de.inc Bug 10760: Alternate Address: Make street number and street type editable 2016-07-08 13:45:41 +00:00
member-alt-address-style-us.inc Bug 10760: Alternate Address: Make street number and street type editable 2016-07-08 13:45:41 +00:00
member-alt-contact-style-de.inc Bug 15373: Changing Zip to ZIP on OPAC and Intranet 2015-12-30 16:30:35 +00:00
member-alt-contact-style-us.inc Bug 15373: Changing Zip to ZIP on OPAC and Intranet 2015-12-30 16:30:35 +00:00
member-display-address-style-de.inc Bug 15542: Change for the German style address format 2016-01-23 19:15:08 +00:00
member-display-address-style-us.inc Bug 16779: Move road type after address in US style address formatting (main address) 2016-07-08 13:09:55 +00:00
member-display-alt-address-style-de.inc Bug 10760: Alternate Address: Display street number and street type 2016-07-08 13:45:41 +00:00
member-display-alt-address-style-us.inc Bug 10760: (followup) Move street type after address 2016-07-08 13:45:42 +00:00
member-main-address-style-de.inc Bug 16157: Move the selected flag from GetAuthorisedValues to the templates 2016-04-07 00:16:09 +00:00
member-main-address-style-us.inc Bug 16157: Move the selected flag from GetAuthorisedValues to the templates 2016-04-07 00:16:09 +00:00
members-menu.inc Bug 14157: Notices tab in the patron record should not depend on EnhancedMessagingPreferences to display 2015-11-05 10:29:15 -03:00
members-toolbar.inc Bug 3669: Remove parameters passed to action of form 2016-06-24 13:20:14 +00:00
merge-record-strings.inc Bug 8064: Change the way target record is built. 2015-11-09 15:08:57 -03:00
merge-record.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
messaging-preference-form.inc Bug 16557 - Remove the use of "onclick" from several include files 2016-06-24 13:51:01 +00:00
nl-search-form.tt
page-numbers.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
patron-search-box.inc Bug 16429 - Fix root problem 2016-05-05 10:20:44 +00:00
patron-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
patron-title.inc
patron-toolbar.inc Bug 3534 - Patron quick add form 2016-07-07 18:35:01 +00:00
patroncards-errors.inc Bug 14138: Patroncard: Warn user if PDF creation fails 2016-07-15 15:00:56 +00:00
patroncards-toolbar.inc Bug 14915: (QA followup) Switch recent commits from Glyphicons to Font Awesome 2015-10-27 10:04:53 -03:00
patrons-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
permissions.inc Bug 16454: Use 'inventory' instead of 'inventory/stocktaking' 2016-05-16 17:42:39 +00:00
popup-bottom.inc
prefs-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
prefs-menu.inc Bug 11559: Rancor: advanced cataloging interface 2015-10-27 12:17:39 -03:00
printers-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
quotes-toolbar.inc Bug 16005 - Standardize use of icons for delete and cancel operations 2016-06-03 08:21:25 +00:00
quotes-upload-toolbar.inc Bug 16513 - Improvements and fixes for quote upload process 2016-06-24 13:47:34 +00:00
reports-menu.inc
reports-toolbar.inc Bug 16005 - Standardize use of icons for delete and cancel operations 2016-06-03 08:21:25 +00:00
resort_form.inc
rotating-collections-toolbar.inc Bug 16005 - Standardize use of icons for delete and cancel operations 2016-06-03 08:21:25 +00:00
search_indexes.inc
serials-menu.inc Bug 10855: Search subscriptions by additional fields 2015-10-02 15:10:30 -03:00
serials-search.inc Bug 17025: Fix XSS in serials-search.pl 2016-08-10 13:17:19 +00:00
serials-toolbar.inc Bug 16745 - Add edit catalog and edit items links to serials toolbar 2016-06-24 13:59:20 +00:00
slip-print.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
strings.inc Bug 15533: QA follow-up - Formatting and improving translatability 2016-04-29 10:26:05 +00:00
subscriptions-search.inc Bug 17025: Fix XSS in serials-search.pl 2016-08-10 13:17:19 +00:00
subtypes_unimarc.inc Bug 16557 - Remove the use of "onclick" from several include files 2016-06-24 13:51:01 +00:00
suggestions-add-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
timepicker.inc
tools-item-action.inc
tools-menu.inc Bug 15213 - Fix tools sidebar to highlight Patron lists when in that module 2016-06-10 18:06:34 +00:00
tools-nomatch-action.inc
tools-overlay-action.inc
validator-strings.inc
vendor-menu.inc
virtualshelves-toolbar.inc Bug 15453: Assign the correct shelfid to the download list links 2016-01-07 18:54:34 +00:00
wysiwyg-systempreferences.inc Bug 16241 - Move staff client CSS out of language directory 2016-04-29 13:54:37 +00:00
z3950-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
z3950_search.inc Bug 16812: Revise JS script for z3950_search.tts and remove onclick events 2016-07-15 15:24:57 +00:00