Koha/koha-tmpl/intranet-tmpl/prog/en/includes
Chris Cormack 951f3346a2 Bug 13425 - XSS in intranet facets - Patch for 3.18 and master
To Test
1/ Craft a url like /cgi-bin/koha/catalogue/search.pl?q=smith&sort_by='"><script>prompt('Happy_Holidays')</script>

It is important it must return results and facets

2/ Notice the js is executed
3/ Apply the patch test again

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
No prompts, no functional regressions found.
Checked selecting and undoing facets, show more links and paging.
Signed-off-by: Mason James <mtj@kohaaloha.com>

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-12-26 21:03:17 -03:00
..
catalogue Bug 11425 [Template follow-up] Search form for items 2014-11-04 19:10:29 -03:00
csv_headers/acqui Bug 12110: Display the order vendor note in basket and basketgroup CSV and PDF 2014-05-25 15:21:22 +00:00
virtualshelves/merge
acquisitions-add-to-basket.inc Bug 11665: An ability to place orders directly from hold ratios list 2014-05-04 19:13:39 +00:00
acquisitions-menu.inc
acquisitions-search.inc
acquisitions-toolbar.inc
additem.js.inc
admin-items-search-field-form.inc Bug 11425: Add item search form in staff interface 2014-11-04 19:08:12 -03:00
admin-menu.inc Bug 11425: Add item search form in staff interface 2014-11-04 19:08:12 -03:00
auth-finder-search.inc Bug 10808: make authority search form retain drop-down selections 2013-12-10 04:25:12 +00:00
authorities-search-results.inc Bug 7442: (follow-up) restore display of heading type for non-UNIMARC 2014-05-05 01:27:33 +00:00
authorities-search.inc
authorities-toolbar.inc Bug 13218: usability enhancements for z39.50 searches 2014-12-17 22:32:28 -03:00
authorities.inc
authorities_js.inc Bug 12295: fix Javascript error when merging authorities 2014-06-05 12:16:39 -03:00
av-build-dropbox.inc Bug 766: (follow-up) improve usage comments in new TT include 2014-05-04 23:11:34 +00:00
biblio-default-view.inc
biblio-view-menu.inc
borrower_debarments.inc Bug 11182: remove spurious logged warnings in circulation 2014-04-29 17:49:48 +00:00
browser-strings.inc
budgets-active-currency.inc
budgets-admin-search.inc
budgets-admin-toolbar.inc
calendar.inc Bug 10694: (follow-up) fix various issues 2014-05-02 21:44:46 +00:00
cat-menu.inc
cat-search.inc Bug 12094: fix default tab selection broken by jQueryUI upgrade 2014-04-22 14:51:18 +00:00
cat-toolbar.inc Bug 13254 - Delete record don't wait for confirmation 2014-11-16 21:21:43 -03:00
cataloging-search.inc Bug 11905 - when editing item, cursor is positioning in search box and not to item 2014-07-30 11:57:31 -03:00
checkin-search.inc
checkouts-table-footer.inc Bug 12899: Row grouping in checkouts table is alphabetical and depends on translation 2014-09-16 15:20:51 -03:00
checkouts-table.inc Bug 13190: Refactor the checkouts table template code 2014-11-06 10:00:42 -03:00
circ-menu.inc Bug 12542: Tabs inconsistency in different circ-menu.inc uses 2014-07-18 10:41:27 -03:00
circ-menu.tt Bug 12542: Tabs inconsistency in different circ-menu.inc uses 2014-07-18 10:41:27 -03:00
circ-search.inc
cities-admin-search.inc
columns_settings.inc Bug 10212: Move colvis files to the include file 2014-08-26 09:28:58 -03:00
contracts-admin-search.inc
currencies-admin-search.inc
datatables-strings.inc Bug 11555: Make "All" one of the default options for datatables 2014-03-10 18:49:33 +00:00
datatables.inc Bug 12987: The new format_price include file should be include on using datatables 2014-11-11 09:46:27 -03:00
date-format.inc
doc-head-close-receipt.inc
doc-head-close.inc Bug 12150 - Use more javascript string formatting in intranet for translated strings. 2014-07-03 09:52:48 -03:00
doc-head-open.inc Bug 13112 - Add name of template file in html comment for each '.tt' file. 2014-10-28 10:45:32 -03:00
facets.inc Bug 13425 - XSS in intranet facets - Patch for 3.18 and master 2014-12-26 21:03:17 -03:00
file-upload.inc Bug 12103 - Move ajaxfileupload jQuery plugin outside of language-specific directory 2014-04-25 15:09:16 +00:00
form-blocks.inc
format_price.inc Bug 12987: Update table footer with the visible rows 2014-11-11 09:46:21 -03:00
greybox.inc Bug 12101 - Move Greybox library outside of language-specific directory 2014-04-25 15:14:03 +00:00
guided-reports-view.inc
header.inc Bug 13176 - Add links "My account" and "My checkouts" for logged in user to drop down in staff client header 2014-11-11 09:48:06 -03:00
help-bottom.inc Bug 12700 - Capitalization: "Close Help Window" in context help 2014-08-11 11:40:24 -03:00
help-top.inc Bug 12494 - Remove yuipath system preference 2014-10-29 22:06:57 -03:00
home-search.inc Bug 9811: Patron search improvement 2014-07-01 09:57:09 -03:00
installer-doc-head-close.inc Bug 12658: Wording of link text and translatability inside JavaScript 2014-08-15 15:36:11 -03:00
intranet-bottom.inc Bug 12597 - Give better visual indication of currently-selected language in the staff client 2014-08-05 20:49:20 -03:00
intranetstylesheet.inc
labels-menu.inc
labels-toolbar.inc
letters-search.inc
members-menu.inc
members-toolbar.inc Bug 12971 - Regression: Patron print summary doesn't show checkouts 2014-11-19 09:49:01 -03:00
merge-record-strings.inc Bug 12150 - Use more javascript string formatting in intranet for translated strings. 2014-07-03 09:52:48 -03:00
merge-record.inc
messaging-preference-form.inc
nl-search-form.tt Bug 11401: Add support for Norwegian national library card 2014-11-14 09:42:23 -03:00
page-numbers.inc Bug 13425 - XSS in intranet facets - Patch for 3.18 and master 2014-12-26 21:03:17 -03:00
patron-search-box.inc Bug 11570 - Upgrade jQueryUI to latest version in the staff client 2014-04-07 15:37:27 +00:00
patron-search.inc Bug 13233 - Patron search by birth date tooltip broken 2014-11-16 12:14:15 -03:00
patron-title.inc Bug 9811: Patron search improvement 2014-07-01 09:57:09 -03:00
patron-toolbar.inc
patroncards-errors.inc
patroncards-menu.inc
patroncards-toolbar.inc
patrons-admin-search.inc
popup-bottom.inc
prefs-admin-search.inc
prefs-menu.inc Bug 12190: fold the "Creators" system preference tab into "Tools" 2014-05-23 13:09:51 +00:00
printers-admin-search.inc
quotes-toolbar.inc
quotes-upload-toolbar.inc
reports-menu.inc
reports-toolbar.inc Bug 12214: (follow-up) Clean up reports-toolbar.inc, show Edit link when SQL has errors 2014-05-09 14:40:15 +00:00
resort_form.inc
rotating-collections-toolbar.inc Bug 8836 [Template follow-up] Resurrect Rotating Collections 2014-11-06 15:12:19 -03:00
search_indexes.inc Bug 9368 [ALTERNATE] - specific behavior of yr and acqdate indexes 2014-10-22 15:16:55 -03:00
serials-menu.inc
serials-search.inc
serials-toolbar.inc Bug 11271 - Serials table off the screen in smaller viewports 2014-11-21 20:29:52 -03:00
slip-print.inc Bug 11014 - Slip Print Problem in Chrome 2014-05-30 16:05:23 -03:00
stopwords-admin-search.inc
strings.inc Bug 13122 - Patron holds table no longer display date item went in transit 2014-11-16 21:08:52 -03:00
subscriptions-search.inc
subtypes_unimarc.inc Bug 11503: fix several typos 2014-01-13 20:47:03 +00:00
suggestions-add-search.inc
timepicker.inc Bug 11618: ensure jQuery timepicker is picked up by the i18n toolchain 2014-02-18 21:19:16 +00:00
tools-item-action.inc
tools-menu.inc Bug 12403: Add a batch record deletion 2014-11-07 15:25:49 -03:00
tools-nomatch-action.inc
tools-overlay-action.inc
validator-strings.inc
vendor-menu.inc
virtualshelves-toolbar.inc Bug 10714: Redirect to list contents view upon save after initiating edit from list contents view (staff) 2014-02-20 16:53:32 +00:00
z3950-admin-search.inc Bug 6536: QA Follow-up for string changes referring to Z39.50 2014-09-01 10:09:14 -03:00