Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules
History
Amit Gupta 8c3da35130 Bug 19033: XSS Flaws in Currencies and exchange page 
1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes the issue, follows common practice on the codebase.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00
..
acqui Bug 19052 - XSS Flaws in - Invoice search page 2017-08-29 12:00:37 -03:00
admin Bug 19033: XSS Flaws in Currencies and exchange page 2017-08-29 12:00:37 -03:00
authorities Bug 18801 - Merging authorities has an invalid 'Default' type in the merge framework selector 2017-07-06 14:29:03 -03:00
basket Bug 12644 - Add subtitles to staff client cart 2017-08-15 12:17:45 -03:00
batch
catalogue Bug 18331: Fix CSV export (once and for all!) 2017-08-15 12:17:40 -03:00
cataloguing Bug 18277: Remove GetBiblionumberFromItemnumber - linkitem 2017-07-10 13:03:37 -03:00
circ Bug 18469: QA Follow-up 2017-08-15 12:17:43 -03:00
clubs Bug 18630: Translatability (Clubs): 'Cancel' is ambiguous and leads to mistakes 2017-06-15 15:56:00 -03:00
common Bug 13835: Popup with searches: results hidden by language menu in footer 2017-04-28 08:35:30 -04:00
course_reserves Bug 18367 - Fix untranslatable string from Bug 18264 2017-07-13 16:42:03 -03:00
errors
help Bug 18817: Update links manually 2017-08-25 10:22:14 -03:00
installer Bug 17942 [Follow-up] Update style of the web installer with Bootstrap 3 2017-05-09 20:54:31 +00:00
labels Bug 19050 - XSS Flaws in Quick spine label creator 2017-08-29 12:00:37 -03:00
members Bug 19080: Handle non-existing patrons gratefully 2017-08-25 11:03:37 -03:00
offline_circ
onboarding Bug 18702: Translatability: Get rid of exposed if statement in tt for translated onboardingstep2.tt 2017-06-05 16:35:23 -03:00
patron_lists
patroncards Bug 18465: (followup) Fix issue with patron lists an do not use clone 2017-07-06 14:52:54 -03:00
plugins Bug 18430 - Plugins page should have a link to viewing other types 2017-06-05 11:59:26 -03:00
reports Bug 19054 - XSS Flaws in Report - Top Most-circulated items 2017-08-29 12:00:37 -03:00
reserve Bug 18534 - When IndependentBranches is enabled the pickup location displayed incorrectly on request.pl 2017-05-19 10:33:19 -04:00
reviews
rotating_collections
serials Bug 13747: Fix problems with frequency descriptions containing quotes 2017-06-05 16:34:26 -03:00
services
sms
suggestion Bug 18581 - Add standard edit and delete buttons to suggestions list 2017-08-25 10:59:04 -03:00
tags Bug 5471 - Quotes in tags fail 2017-08-10 13:20:31 -03:00
test
tools Bug 19034: (followup 2) Fix letters.tt XSS flaw 2017-08-29 12:00:37 -03:00
virtualshelves Bug 18980: Show distinction between shared and private lists in staff 2017-08-10 13:20:31 -03:00
about.tt Bug 19000: Fix typo in closing p tag for items 2017-07-28 11:14:26 -03:00
auth.tt Bug 18314 (QA Followup) Use OpacBaseURL for password reset link 2017-05-12 10:59:10 -04:00
intranet-main.tt Bug 19041: (bug 17855 follow-up) Fix regression on bug 16058 2017-08-08 09:20:35 -03:00