Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc
Amit Gupta bfbba2339f Bug 19108: Fix Stored XSS in items_search_fields.pl 
To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for new and edit page

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:50 -03:00

57 lines
2.2 KiB
HTML
Raw Blame History

[% PROCESS 'html_helpers.inc' %]
<ol>
<li>
[% IF field %]
<span class="label">Name: </span>
[% field.name |html %]
<input type="hidden" name="name" value="[% field.name %]">
[% ELSE %]
<label class="required" for="name">Name: </label>
<input type="text" name="name" id="name" class="required" required="required" />
<span class="required">Required</span>
[% END %]
</li>
<li>
<label class="required" for="label">Label: </label>
[% IF field %]
<input type="text" name="label" id="label" value="[% field.label |html %]" class="required" required="required" />
[% ELSE %]
<input type="text" name="label" id="label" class="required" required="required" />
[% END %]
<span class="required">Required</span>
</li>
<li>
<label for="tagfield" required="required">MARC field: </label>
<select id="tagfield" name="tagfield" class="required" required="required">
[% FOREACH tagfield IN ['001'..'999'] %]
[% IF field && field.tagfield == tagfield %]
<option value="[% tagfield %]" selected="selected">[% tagfield %]</option>
[% ELSE %]
<option value="[% tagfield %]">[% tagfield %]</option>
[% END %]
[% END %]
</select>
<span class="required">Required</span>
</li>
<li>
<label for="tagsubfield">MARC subfield: </label>
<select id="tagsubfield" name="tagsubfield">
[% codes = [''] %]
[% codes = codes.merge([0..9], ['a'..'z']) %]
[% FOREACH tagsubfield IN codes %]
[% IF field && field.tagsubfield == tagsubfield %]
<option value="[% tagsubfield %]" selected="selected">[% tagsubfield %]</option>
[% ELSE %]
<option value="[% tagsubfield %]">[% tagsubfield %]</option>
[% END %]
[% END %]
</select>
</li>
<li>
<label for="authorised_values_category">Authorised values category: </label>
<select id="authorised_values_category" name="authorised_values_category">
<option value="">- None -</option>
[% PROCESS options_for_authorised_value_categories authorised_value_categories => AuthorisedValues.GetCategories( selected => field.authorised_values_category ) %]
</select>
</li>
</ol>
View git blame Copy permalink