Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en
History
Josef Moravec b59988f78d Bug 19738: Fix XSS on vendor name in serials module 
Test plan:

1) do not apply this patch
2) Have at least one vendor which name does contain javascript, for
example: <i>Vendor 1</i><script>alert('Hi');</script>
3) go to serial module and create new subscription
4) use "Search for vendor"
5) Search for your vendor, when search results table is presented, the
javascript is executed
6) go through subscription creation and save the new subscription
7) On subscription detail page, the javascript is executed as well
8) apply this patch
9) Repeat 3-7, the script is not executed, the input is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-15 16:04:40 -03:00
..
data Bug 17288: (follow-up) Fix marc21_field_007.xml 2017-08-25 10:59:03 -03:00
includes Bug 19641: Move patron templates to the footer 2018-02-15 13:30:23 -03:00
js
modules Bug 19738: Fix XSS on vendor name in serials module 2018-02-15 16:04:40 -03:00
xslt Bug 17827 - Untranslatable "by" in MARC21slim2intranetResults.xsl 2017-09-01 11:14:58 -03:00
columns.def