Koha/opac
Jonathan Druart abf1b6596c Bug 20982: Sanitize category to prevent XSS on opac-shelves.pl
== Test plan ==
1. Go to http://localhost:8080/cgi-bin/koha/opac-shelves.pl?category=function(){window.location.href%20=%20%27https://git.koha-community.org/stats/koha-master/authors.html%27}()
2. Note that you are redirected to another website
3. Apply the patch & restart services
4. Repeat the above and you are not redirected

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-05-26 09:26:54 +02:00
..
clubs Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
errors Bug 26048: Use ErrorDocument middleware for Plack HTTP errors 2021-01-27 10:30:43 +01:00
external/overdrive Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
rss
sci Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
sco Bug 24083: (follow-up) Make requested changes 2020-11-11 16:09:58 +01:00
svc Bug 27380: (follow-up) Remove earlier declaration and unused assignment 2021-02-12 12:30:58 +01:00
ilsdi.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
maintenance.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
oai.pl
opac-account-pay-return.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-account-pay.pl Bug 23215: Remove traces of the PayPal feature 2021-05-07 14:44:00 +02:00
opac-account.pl Bug 23215: Remove traces of the PayPal feature 2021-05-07 14:44:00 +02:00
opac-addbybiblionumber.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-alert-subscribe.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-article-request-cancel.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-authorities-home.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-authoritiesdetail.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-basket.pl Bug 18989: (QA follow-up) Make controllers use Koha::Biblio->hidden_in_opac 2021-05-12 14:12:07 +02:00
opac-blocked.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-browse.pl Bug 27200: (follow-up) Browse search interface update 2020-12-26 17:58:43 +01:00
opac-browser.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-changelanguage.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-course-details.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-course-reserves.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-detail.pl Bug 18989: Restore hidding items on detail 2021-05-12 14:12:07 +02:00
opac-discharge.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-downloadcart.pl Bug 5087: Add server-side check 2020-07-23 11:17:27 +02:00
opac-downloadshelf.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-export.pl Bug 24108: Make export file names consistent 2021-02-17 16:28:25 +01:00
opac-holdshistory.pl Bug 20936: (follow-up) add biblio and item relation to old holds and set a limit on search holds 2020-11-11 15:55:48 +01:00
opac-ics.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-idref.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-illrequests.pl Bug 22818: Add generation and sending of notices 2020-11-11 08:35:10 +01:00
opac-image.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-imageviewer.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-ISBDdetail.pl Bug 18989: (QA follow-up) Make controllers use Koha::Biblio->hidden_in_opac 2021-05-12 14:12:07 +02:00
opac-issue-note.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-library.pl Bug 13388: Add library pages to the OPAC 2020-05-04 09:11:03 +01:00
opac-main.pl Bug 27650: Fix variable passed to the template in opac-main 2021-03-08 15:15:48 +01:00
opac-MARCdetail.pl Bug 18989: (QA follow-up) Make controllers use Koha::Biblio->hidden_in_opac 2021-05-12 14:12:07 +02:00
opac-memberentry.pl Bug 18112: Use GetAuthValueDropbox from the template 2021-05-11 15:37:42 +02:00
opac-messaging.pl Bug 24663: Remove authnotrequired if set to 0 2020-09-03 10:40:35 +02:00
opac-modrequest-suspend.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-modrequest.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-mymessages.pl Bug 24663: Remove authnotrequired if set to 0 2020-09-03 10:40:35 +02:00
opac-news-rss.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-overdrive-search.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-passwd.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-password-recovery.pl Bug 26941: Fix OPAC password recovery error messages 2020-12-21 10:08:02 +01:00
opac-patron-consent.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-patron-image.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-privacy.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-ratings-ajax.pl
opac-ratings.pl
opac-readingrecord.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-recordedbooks-search.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-registration-verify.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-renew.pl Bug 24083: Add support for unseen_renewals 2020-11-11 16:09:58 +01:00
opac-reportproblem.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-request-article.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-reserve.pl Bug 27529: Choose patron's branch or item's homebranch if following group rules and patron cannot choose branch 2021-04-16 13:56:46 +02:00
opac-restrictedpage.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-retrieve-file.pl
opac-review.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-routing-lists.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-search-history.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-search.pl Bug 28241: Fix regex to allow for content before and after comma 2021-05-10 15:52:53 +02:00
opac-sendbasket.pl Bug 22343: (QA follow-up) Wrap email creation inside the try/catch block 2020-10-02 10:54:41 +02:00
opac-sendshelf.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-serial-issues.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-shareshelf.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-shelves.pl Bug 20982: Sanitize category to prevent XSS on opac-shelves.pl 2021-05-26 09:26:54 +02:00
opac-showmarc.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-showreviews.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-suggestions.pl Bug 26406: Fix suggestions filter at the OPAC 2021-02-15 11:18:25 +01:00
opac-tags.pl Bug 18989: (QA follow-up) Make controllers use Koha::Biblio->hidden_in_opac 2021-05-12 14:12:07 +02:00
opac-tags_subject.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-topissues.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-user.pl Bug 24083: Add support for unseen_renewals 2020-11-11 16:09:58 +01:00
tracklinks.pl Bug 27979: Modify TrackClicks to verify URL exists in DB when multiple uri 2021-04-16 12:28:18 +02:00
unapi