Koha/koha-tmpl/intranet-tmpl/prog/en/includes
Amit Gupta bfbba2339f Bug 19108: Fix Stored XSS in items_search_fields.pl
To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for new and edit page

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:50 -03:00
..
catalogue Bug 16485: collection column in Item search is always empty 2017-09-01 13:02:25 -03:00
csv_headers Bug 18331: Fix CSV export (once and for all!) 2017-08-15 12:17:40 -03:00
virtualshelves/merge
acquisitions-add-to-basket.inc
acquisitions-menu.inc Bug 17972 - Reformat acquisitions sidebar menu with acquisitions and administration sections 2017-02-17 12:05:08 +00:00
acquisitions-search.inc
acquisitions-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
additem.js.inc Bug 14752 - (QA followup) Remove annoying modal, use dialog box instead 2016-09-13 17:21:05 +00:00
admin-items-search-field-form.inc Bug 19108: Fix Stored XSS in items_search_fields.pl 2017-09-29 12:20:50 -03:00
admin-menu.inc Bug 17794: Menu items in Tools menu and Admin menu not showing bold when active but not on linked page 2017-01-13 11:35:29 +00:00
adv-search.inc
auth-finder-search.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
authorities-search-results.inc Bug 18703 - Translatability: Resolve some remaining %%] problems for staff client in 6 Files 2017-06-16 17:04:08 -03:00
authorities-search.inc
authorities-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
authorities.inc
authorities_js.inc
av-build-dropbox.inc Bug 18682 - Translatability: Get rid of [%% in translation for 2 files av-build-dropbox.inc 2017-06-05 16:35:56 -03:00
biblio-default-view.inc
biblio-view-menu.inc Bug 14610 - Add and update scripts 2016-10-26 12:15:14 +00:00
blocked-fines.inc Bug 18762: Remove warnings from xt/author/valid-templates.t 2017-06-14 14:36:28 -03:00
borrower_debarments.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
branch-selector.inc Bug 18693: Translatability: Get rid of exposing a [%% FOREACH loop in translation for branch-selector.inc 2017-06-05 16:47:22 -03:00
browser-strings.inc
budgets-active-currency.inc
budgets-admin-search.inc Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
budgets-admin-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
calendar.inc Bug 18447 - Datepicker only shows -10/+10 years 2017-08-25 11:38:46 -03:00
cat-menu.inc
cat-search.inc Bug 16903 - Multiple class attributes on catalog search tab 2016-09-02 14:03:42 +00:00
cat-toolbar.inc Bug 17893 - Move JavaScript to the footer on staff client catalog pages 2017-09-07 14:05:49 -03:00
catalog-strings.inc Bug 17893 - Move JavaScript to the footer on staff client catalog pages 2017-09-07 14:05:49 -03:00
cataloging-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
cateditor-ui.inc Bug 18415 - Advanced Editor - Rancor - return focus to editor after successful macro 2017-05-08 09:03:34 -04:00
cateditor-widgets-marc21.inc Bug 17288: (follow-up) Remove unneccessary Date() function 2017-08-25 10:59:04 -03:00
checkin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
checkouts-table-footer.inc Bug 15975 (QA Followup) Fix colspan for footer 2016-09-25 15:41:36 +00:00
checkouts-table.inc Bug 15498: Let the user choose the CSV profile to export circ history 2017-03-31 11:13:47 +00:00
circ-menu.inc Bug 19129 - Clean up Details tab for Organisation patrons 2017-09-01 13:02:23 -03:00
circ-nav.inc Bug 16530: Add a new method to the Branches TT Plugin to avoid c/p 2017-03-03 18:34:36 +00:00
circ-patron-search-results.inc Bug 14874 - Add ability to search for patrons by date of birth from checkout and patron quick searches 2016-10-27 13:21:13 +00:00
circ-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
cities-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
columns_settings.inc
contracts-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
country-list.inc Bug 14608: Move country list to an include file 2017-03-22 23:51:30 +00:00
currencies-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
datatables.inc
date-format.inc
doc-head-close-receipt.inc
doc-head-close.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
doc-head-open.inc
empty_line.inc Bug 18331: Force tt to insert newline to empty_line.inc 2017-08-15 12:17:40 -03:00
facets.inc Bug 17169 - Use CCODE descriptions instead of codes 2017-03-22 19:24:23 +00:00
form-blocks.inc
format_price.inc Bug 16768: (followup) Add Swiss format for datatables (format_price.inc) 2016-06-24 14:00:03 +00:00
greybox.inc
guided-reports-view.inc
header.inc Bug 18718: Language selector in staff header menu similar to OPAC 2017-09-01 11:30:26 -03:00
help-bottom.inc
help-top.inc
home-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
html_helpers.inc Bug 19125: Fix Stored XSS in members.pl 2017-09-29 12:20:45 -03:00
installer-doc-head-close.inc Bug 17942 - Add anti-clickjack code to installer doc head close 2017-05-09 20:54:30 +00:00
installer-strings.inc Bug 17942 - Update style of the web installer with Bootstrap 3 2017-05-09 20:54:30 +00:00
intranet-bottom.inc Bug 18718: Language selector in staff header menu similar to OPAC 2017-09-01 11:30:26 -03:00
intranetstylesheet.inc
js_includes.inc Bug 17870 - Call to include file incorrectly moved into the footer 2017-01-13 11:27:39 +00:00
labels-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
langmenu-staff-top.inc Bug 18718: Language selector in staff header menu similar to OPAC 2017-09-01 11:30:26 -03:00
letters-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
member-alt-address-style-de.inc Bug 17559: Fixed HTML element ID of B_streetnumber 2016-11-18 14:16:43 +00:00
member-alt-address-style-fr.inc Bug 18110: Add a field FR to the syspref AddressFormat 2017-04-28 08:50:19 -04:00
member-alt-address-style-us.inc Bug 17559: Fixed HTML element ID of B_streetnumber 2016-11-18 14:16:43 +00:00
member-alt-contact-style-de.inc
member-alt-contact-style-fr.inc Bug 18110: Add a field FR to the syspref AddressFormat 2017-04-28 08:50:19 -04:00
member-alt-contact-style-us.inc
member-display-address-style-de.inc
member-display-address-style-fr.inc Bug 18110: Folllowup to fix alternative address and add missing class 2017-04-28 08:50:19 -04:00
member-display-address-style-us.inc Bug 16779: Move road type after address in US style address formatting (main address) 2016-07-08 13:09:55 +00:00
member-display-alt-address-style-de.inc Bug 10760: Alternate Address: Display street number and street type 2016-07-08 13:45:41 +00:00
member-display-alt-address-style-fr.inc Bug 18110: Folllowup to fix alternative address and add missing class 2017-04-28 08:50:19 -04:00
member-display-alt-address-style-us.inc Bug 10760: (followup) Move street type after address 2016-07-08 13:45:42 +00:00
member-main-address-style-de.inc Bug 15644 - City dropdown default selection when modifying a patron matches only on city 2017-09-19 11:47:32 -03:00
member-main-address-style-fr.inc Bug 15644 - City dropdown default selection when modifying a patron matches only on city 2017-09-19 11:47:32 -03:00
member-main-address-style-us.inc Bug 15644 - City dropdown default selection when modifying a patron matches only on city 2017-09-19 11:47:32 -03:00
members-menu.inc Bug 5670: [QA Followup] Housebound link from patron edit. 2016-10-21 18:18:00 +00:00
members-toolbar.inc Bug 19129 - Clean up Details tab for Organisation patrons 2017-09-01 13:02:23 -03:00
merge-record-strings.inc
merge-record.inc
messaging-preference-form.inc Bug 18692 - intranet part 2017-09-01 13:02:25 -03:00
nl-search-form.tt
noadd-warnings.inc Bug 17082: Translatability: Fix sentence splitting in member.tt 2016-08-10 13:49:48 +00:00
onboarding_messages.inc Bug 17942 - Update style of the web installer with Bootstrap 3 2017-05-09 20:54:30 +00:00
page-numbers.inc Bug 18005: Re-styled pagination on search results with Bootstrap 2017-02-07 17:48:10 +00:00
patron-article-requests.inc Bug 14610 - Follow-up 2016-10-26 12:15:23 +00:00
patron-search-box.inc Bug 17418 - Move staff client home page JavaScript to the footer 2016-12-16 11:53:39 +00:00
patron-search.inc Bug 19125: Fix Stored XSS in members.pl 2017-09-29 12:20:45 -03:00
patron-title.inc Bug 17365: Fix XSS in moremember.pl and memberentry.pl 2016-10-11 16:19:56 +00:00
patron-toolbar.inc Bug 19125: Fix Stored XSS in members.pl 2017-09-29 12:20:45 -03:00
patroncards-errors.inc Bug 18660: Translatability: Get rid of template directives [%% in translation for patroncards-errors.inc 2017-08-30 16:43:36 -03:00
patroncards-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
patrons-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
permissions.inc Bug 12461 - Add patron clubs feature 2017-04-28 08:37:44 -04:00
popup-bottom.inc
prefs-admin-search.inc Bug 16726: Clear text in syspref searchbox after submitting 2017-09-01 13:00:06 -03:00
prefs-menu.inc
printers-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
quotes-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
quotes-upload-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
reports-menu.inc Bug 6934: Fix code in CashRegisterStats (dataTables pagination, more accurate descriptions, add a delimiter pull down, change C4::Dates to Koha::DateUtils) 2016-10-28 11:50:24 +00:00
reports-toolbar.inc Bug 18283: 'sql' should be 'SQL' 2017-03-31 14:07:53 +00:00
resort_form.inc
rotating-collections-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
search_indexes.inc Bug 18839: Suggestion.pl spelling mistake 2017-07-13 16:42:04 -03:00
select2.inc Bug 13501: Highlight select2 control if field is required and value is missing 2016-09-02 16:25:04 +00:00
serials-menu.inc
serials-search.inc Bug 17025: Fix XSS in serials-search.pl 2016-08-10 13:17:19 +00:00
serials-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
slip-print.inc Bug 17014 - Remove more event attributes from patron templates 2017-03-31 14:33:51 +00:00
strings.inc Bug 18839: Suggestion.pl spelling mistake 2017-07-13 16:42:04 -03:00
subscriptions-search.inc Bug 17537: Fix valid-templates.t for some include files 2016-11-04 11:03:48 +00:00
subtypes_unimarc.inc
suggestions-add-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
timepicker.inc
tools-item-action.inc
tools-menu.inc Bug 12461 - Add patron clubs feature 2017-04-28 08:37:44 -04:00
tools-nomatch-action.inc
tools-overlay-action.inc
validator-strings.inc
vendor-menu.inc
virtualshelves-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
wysiwyg-systempreferences.inc
z3950-admin-search.inc Bug 14902 - Add qualifier menu to staff side "Search the Catalog" 2016-07-08 13:57:59 +00:00
z3950_search.inc Bug 16812: Revise JS script for z3950_search.tts and remove onclick events 2016-07-15 15:24:57 +00:00