Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-ISBDdetail.tt
Kyle M Hall 950fc8e101 Bug 19319: Reflected XSS Vulnerability in opac-MARCdetail.pl 
Try going to this URL on your site: /cgi-bin/koha/opac-MARCdetail.pl?biblionumber=2"><TEST>

Test Plan:
1) Go to /cgi-bin/koha/opac-MARCdetail.pl?biblionumber=2"><TEST>
2) Note <TEST> is embedded all over the html
3) Apply this patch
4) Refresh the page, note the injection is gone!
5) run koha qa test tools

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-01-09 16:02:25 -03:00

38 lines
1.8 KiB
Text
Raw Blame History

[% USE Koha %]
[% INCLUDE 'doc-head-open.inc' %]
<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo; ISBD view</title>
[% INCLUDE 'doc-head-close.inc' %]
[% BLOCK cssinclude %][% END %]
</head>
[% INCLUDE 'bodytag.inc' bodyid='opac-isbddetail' bodyclass='scrollto' %]
[% INCLUDE 'masthead.inc' %]
<div class="main">
<ul class="breadcrumb">
<li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
<li><a href="#">ISBD view</a></li>
</ul>
<div class="container-fluid">
<div class="row-fluid">
<div class="span9">
<div id="opac-detail" class="maincontent">
<div id="usermarcdetail">
<div id="catalogue_detail_biblio">
<div id="views">
<span class="view"><a id="Normalview" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblio.biblionumber %]">Normal view</a></span> <span class="view"><a id="MARCview" href="/cgi-bin/koha/opac-MARCdetail.pl?biblionumber=[% biblio.biblionumber %]">MARC view</a></span> <span class="view current-view"><span id="ISBDview">ISBD view</span></span></div>
<div id="isbdcontents">[% ISBD %]</div>
</div> <!-- / #catalogue_detail_biblio -->
</div> <!-- / #usermarcdetail -->
</div> <!-- / #opac-detail -->
</div> <!-- / .span9 -->
<div class="span3">
[% INCLUDE 'opac-detail-sidebar.inc' %]
</div>
</div> <!-- / .row-fluid -->
</div> <!-- / .container-fluid -->
</div> <!-- / .main -->
[% INCLUDE 'opac-bottom.inc' %]
[% BLOCK jsinclude %][% END %]
View git blame Copy permalink