52fe123891
A specially crafted url causes XSS in Koha To test: cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves These should cause a popup without the patch. With the patch, no popup. You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't have permission to view them. Signed-off-by: Chris <chris@bigballofwax.co.nz> Fixes the two listed problems Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Confirmed patch fixes the problem. Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com> |
||
|---|---|---|
| .. | ||
| includes | ||
| modules | ||
| xslt | ||