Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/reports
History
Amit Gupta 1a7040b7b0 Bug 19054 - XSS Flaws in Report - Top Most-circulated items 
1. Hit /cgi-bin/koha/reports/cat_issues_top.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in Callnumber, Day, Month, Year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Callnumber, Day, Month, Year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00
..
csv Bug 18331: POST_CHOMP everywhere! 2017-08-15 12:17:41 -03:00
acquisitions_stats.tt
bor_issues_top.tt Bug 17835: Replace GetItemTypes with Koha::ItemTypes 2017-04-14 10:43:51 -04:00
borrowers_out.tt
borrowers_stats.tt
cash_register_stats.tt Bug 18919: Repair "Transaction branch" in cash_register_stats.pl 2017-08-15 12:17:45 -03:00
cat_issues_top.tt Bug 19054 - XSS Flaws in Report - Top Most-circulated items 2017-08-29 12:00:37 -03:00
catalogue_out.tt Bug 17835: Replace GetItemTypes with Koha::ItemTypes 2017-04-14 10:43:51 -04:00
catalogue_stats.tt
convert_report.tt Bug 18667: Show a diff view of SQL reports when converting 2017-07-13 16:39:04 -03:00
dictionary.tt Bug 11235: Names for reports and dictionary are cut off when quotes are used 2017-06-15 15:27:46 -03:00
guided_reports_start.tt Bug 18985 - SQL reports 'Last edit' and 'Last run' columns sort alphabetically, not chronologically 2017-08-10 16:25:35 -03:00
issues_avg_stats.tt Bug 13452: 'Average loan time' report to obey item-level_itypes preference 2017-06-15 15:27:45 -03:00
issues_by_borrower_category.tt
issues_stats.tt Bug 17835: Replace GetItemTypes with Koha::ItemTypes 2017-04-14 10:43:51 -04:00
itemslost.tt Bug 18279: Remove C4::Items::GetLostItems 2017-06-05 11:43:26 -03:00
itemtypes.tt
orders_by_budget.tt
reports-home.tt Bug 18643: Remove dead code in reports/statistics 'Till reconciliation' 2017-06-05 11:43:53 -03:00
reserves_stats.tt Bug 17835: Add an additional LEFT JOIN condition using DBIx::Class 2017-04-14 10:43:52 -04:00
serials_stats.tt