Koha/koha-tmpl/opac-tmpl at c7081a0852b8d627328e503cfe53b8f32e6d623a - Koha-community/Koha - Koha: The world's first free and open source library system

History

Chris Cormack 5bdf4601df Bug 13425 - XSS in opac facets - Patch for master and 3.18 To Test 1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123 It is important it must return results and facets 2/ Notice the js is executed 3/ Apply the patch test again Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net> Popup is gone after applying the patch. Facet link still shows it but does not execute. It's gone after clicking the link. Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>	2014-12-11 12:10:32 -03:00
..
bootstrap	Bug 13425 - XSS in opac facets - Patch for master and 3.18	2014-12-11 12:10:32 -03:00
lib	Bug 12986: Upgrade the DataTables jQuery plugin to the latest version (1.10.2)	2014-11-10 12:45:59 -03:00

Chris Cormack 5bdf4601df Bug 13425 - XSS in opac facets - Patch for master and 3.18

To Test
1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123

It is important it must return results and facets

2/ Notice the js is executed
3/ Apply the patch test again

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Popup is gone after applying the patch. Facet link still shows it but does not execute. It's gone after clicking the link.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>

2014-12-11 12:10:32 -03:00

bootstrap

Bug 13425 - XSS in opac facets - Patch for master and 3.18

2014-12-11 12:10:32 -03:00

lib

Bug 12986: Upgrade the DataTables jQuery plugin to the latest version (1.10.2)

2014-11-10 12:45:59 -03:00