Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/C4
History
Kyle Hall 866d10d416
Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorities-home.pl ) 
There appears to be a cross site scripting attack vulnerability in opac-authorities-home.pl, but may be accessible from any page using C4::Output::pagination_bar.

https://MYKOHA.LOCAL/cgi-bin/koha/opac-authorities-home.pl?and_or=and%27%22()%26%25%3Csad%3E%3CScRiPt%20%3Ealert(document.domain)%3C/ScRiPt%3E&authtypecode=CORPO_NAME&excluding=1&marclist=all&op=do_search&operator=contains&orderby=HeadingAsc&type=opac&value=1

Test Plan:
1) Use the URL above to show the XSS vulnerability exists
2) Apply this patch
3) Restart all the things!
4) Reload the page, no XSS vulnerability!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-07-25 11:18:11 -03:00
..
AuthoritiesMarc
Barcodes
ClassSortRoutine Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
ClassSplitRoutine
Creators
External
Form
Heading
ILSDI Bug 29697: Reintroduce wrongly removed import 2022-07-25 09:30:39 -03:00
Installer Bug 30731: Remove Readonly::XS::MAGIC_COOKIE 2022-06-01 16:15:26 -03:00
Labels Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
Linker
Members
OAI Bug 29697: Use flag embed_items 2022-07-22 15:24:11 -03:00
Output
Patroncards
Reports Bug 29695: Remove C4::Reports::Guided::_get_column_defs 2022-04-12 11:40:16 +02:00
Search
Serials Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
SIP Bug 31202: Don't remove optional SIP fields with a value of "0" 2022-07-21 15:55:56 -03:00
Utils Bug 29648: (QA follow-up) Minor POD fix 2022-04-27 11:20:45 -10:00
Accounts.pm Bug 28854: (follow-up) Use Koha::Item->itemtype introduced with bug 20469 2022-07-13 10:35:46 -03:00
Acquisition.pm Bug 27045: (follow-up) Fix delimiter in header rows 2022-07-20 11:50:41 -03:00
Auth.pm Bug 30842: 2FA - Allow at least one old TOTP 2022-06-01 16:14:42 -03:00
Auth_cas_servers.yaml.sample
Auth_with_cas.pm
Auth_with_ldap.pm
Auth_with_shibboleth.pm
AuthoritiesMarc.pm Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
BackgroundJob.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Barcodes.pm
Biblio.pm Bug 29697: Deal with the degraded view in detail.pl 2022-07-22 15:24:12 -03:00
Breeding.pm Bug 30813: (QA follow-up) Adjust three use statements 2022-06-08 11:40:32 -03:00
Budgets.pm
Calendar.pm
Charset.pm
Circulation.pm Bug 28854: Update circulation functionality for bundles 2022-07-13 10:35:27 -03:00
ClassSortRoutine.pm Bug 29951: Fix EXPORT for C4::ClassS*Routine modules 2022-07-08 15:29:56 -03:00
ClassSource.pm Bug 29951: Fix EXPORT for C4::ClassS*Routine modules 2022-07-08 15:29:56 -03:00
ClassSplitRoutine.pm Bug 29951: Fix EXPORT for C4::ClassS*Routine modules 2022-07-08 15:29:56 -03:00
Context.pm
Contract.pm
CourseReserves.pm
Creators.pm
Heading.pm Bug 25616: Uppercase hard coded lower case boolean operators for Elasticsearch 2022-02-24 14:35:36 -10:00
HoldsQueue.pm
HTML5Media.pm Bug 18984: Remove NORMARC support 2021-10-07 15:36:40 +02:00
ImportBatch.pm Bug 29333: Fix encoding of imported UNIMARC authorities 2022-07-08 15:43:33 -03:00
ImportExportFramework.pm Bug 13952: (follow-up) JS translatability, clean warns, other 2022-04-04 16:23:46 +02:00
InstallAuth.pm
Installer.pm
ItemCirculationAlertPreference.pm
Items.pm Bug 29697: Remove GetHiddenItemnumbers 2022-07-22 15:24:11 -03:00
Koha.pm Bug 29883: avoid uninitialized value warn in GetAuthorisedValues sub 2022-06-01 13:40:24 -03:00
Labels.pm Bug 21395: Make perlcritic happy 2020-06-29 12:37:02 +02:00
Languages.pm Bug 15067: Follow up to fix sorting 2021-08-04 14:06:43 +02:00
Letters.pm Bug 30838: Set to_address to smsalertnumber at send 2022-07-22 14:44:27 -03:00
Linker.pm
Log.pm
MarcModificationTemplates.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Matcher.pm
Members.pm Bug 30275: Rename issues.renewals to issues.renewals_count 2022-07-05 09:45:55 -03:00
Message.pm Bug 30838: (QA follow-up) Add missing semicolon 2022-07-22 14:45:59 -03:00
Output.pm Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorities-home.pl ) 2022-07-25 11:18:11 -03:00
Overdues.pm Bug 24865: (QA follow-up) Remove hardcoded notice name from protected_letters 2022-07-05 11:37:39 -03:00
Patroncards.pm
Record.pm Bug 29697: Fix t/db_dependent/Exporter/Record.t 2022-07-25 09:30:35 -03:00
Reports.pm
Reserves.pm Bug 12630: Rebase tests and cover CheckReserves 2022-06-13 10:24:50 -03:00
Ris.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
RotatingCollections.pm
Scheduler.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Scrubber.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Search.pm Bug 29697: Fix t/db_dependent/Search.t 2022-07-25 10:16:48 -03:00
Serials.pm Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
Service.pm
ShelfBrowser.pm Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
SMS.pm
SocialData.pm
Stats.pm Bug 19532: Recalls objects and tests 2022-03-14 22:45:51 -10:00
Suggestions.pm Bug 23991: (follow-up) Silence useless warnings 2022-06-27 13:23:06 -03:00
Tags.pm
Templates.pm
TmplToken.pm Bug 16011: $VERSION - Remove the $VERSION init 2016-03-24 17:20:28 +00:00
TmplTokenType.pm
TTParser.pm
UsageStats.pm
XISBN.pm Bug 30813: (QA follow-up) Adjust three use statements 2022-06-08 11:40:32 -03:00
XSLT.pm