Chris 98901d27be Bug 14423: XSS in authorities-home ... To test: 1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E 2/ Notice you get 3 alert boxes 3/ Apply patch 4/ Hit the url again, no js Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>		2015-06-23 10:11:49 -03:00
..
catalogue	Bug 14263: Fix export of item search results when translated	2015-06-04 10:08:40 -03:00
csv_headers	Bug 14263: Fix export of item search results when translated	2015-06-04 10:08:40 -03:00
virtualshelves/merge
acquisitions-add-to-basket.inc	Bug 11665: An ability to place orders directly from hold ratios list	2014-05-04 19:13:39 +00:00
acquisitions-menu.inc
acquisitions-search.inc
acquisitions-toolbar.inc
additem.js.inc
admin-items-search-field-form.inc	Bug 11425: Add item search form in staff interface	2014-11-04 19:08:12 -03:00
admin-menu.inc	Bug 11425: Add item search form in staff interface	2014-11-04 19:08:12 -03:00
auth-finder-search.inc
authorities-search-results.inc	Bug 10985: [UNIMARC] Fix authority summary	2015-04-22 11:54:36 -03:00
authorities-search.inc	Bug 14423: XSS in authorities-home	2015-06-23 10:11:49 -03:00
authorities-toolbar.inc	Bug 11961 - Add a "Z39.50 search" button to the authority creation and modification pages.	2015-01-24 18:19:06 -03:00
authorities.inc
authorities_js.inc	Bug 12295: fix Javascript error when merging authorities	2014-06-05 12:16:39 -03:00
av-build-dropbox.inc	Bug 766: (follow-up) improve usage comments in new TT include	2014-05-04 23:11:34 +00:00
biblio-default-view.inc
biblio-view-menu.inc	Bug 10355: paramater 'object' lost on the road	2015-06-08 16:25:54 -03:00
borrower_debarments.inc	Bug 8007: Discharge - Glue	2015-04-30 12:33:53 -03:00
branch-selector.inc	Bug 13040 [QA Followup] - Fix koha-qa.pl issues	2015-01-26 16:22:12 -03:00
browser-strings.inc
budgets-active-currency.inc
budgets-admin-search.inc
budgets-admin-toolbar.inc
calendar.inc	Bug 10694: (follow-up) fix various issues	2014-05-02 21:44:46 +00:00
cat-menu.inc
cat-search.inc	Bug 12094: fix default tab selection broken by jQueryUI upgrade	2014-04-22 14:51:18 +00:00
cat-toolbar.inc	ug 7561: Fast cataloging - Allow add/edit items and delete record	2015-04-08 11:22:44 -03:00
cataloging-search.inc	Bug 13885: (QA followup) Remove tab, remove unnecessary permission check	2015-04-29 15:03:10 -03:00
checkin-search.inc
checkouts-table-footer.inc	Bug 13492: Add the location column to the checkouts tables	2015-04-24 09:41:23 -03:00
checkouts-table.inc	Bug 13492: Add the location column to the checkouts tables	2015-04-24 09:41:23 -03:00
circ-menu.inc	Bug 8007: Discharge - Glue	2015-04-30 12:33:53 -03:00
circ-search.inc
cities-admin-search.inc
columns_settings.inc	Bug 10212: Move colvis files to the include file	2014-08-26 09:28:58 -03:00
contracts-admin-search.inc
currencies-admin-search.inc
datatables-strings.inc
datatables.inc	Bug 12987: The new format_price include file should be include on using datatables	2014-11-11 09:46:27 -03:00
date-format.inc
doc-head-close-receipt.inc
doc-head-close.inc	Bug 12160: Rename intranetuserjs with IntranetUserJS	2015-05-26 10:42:07 -03:00
doc-head-open.inc	Bug 13112 - Add name of template file in html comment for each '.tt' file.	2014-10-28 10:45:32 -03:00
empty_line.inc	Bug 14263: Fix export of item search results when translated	2015-06-04 10:08:40 -03:00
facets.inc	Bug 13789 - facets with accented utf-8 characters generate double encoded links	2015-03-07 21:05:04 +01:00
file-upload.inc	Bug 12103 - Move ajaxfileupload jQuery plugin outside of language-specific directory	2014-04-25 15:09:16 +00:00
form-blocks.inc
format_price.inc	Bug 12987: Update table footer with the visible rows	2014-11-11 09:46:21 -03:00
greybox.inc	Revert "Bug 8992: Use the existing greybox plugin in interface/theme"	2015-04-29 12:07:23 -03:00
guided-reports-view.inc
header.inc	Bug 13176 - Add links "My account" and "My checkouts" for logged in user to drop down in staff client header	2014-11-11 09:48:06 -03:00
help-bottom.inc	Bug 12700 - Capitalization: "Close Help Window" in context help	2014-08-11 11:40:24 -03:00
help-top.inc	Bug 13941: [2/2] Fix <body> tags missing id/class	2015-04-24 09:47:38 -03:00
home-search.inc	Bug 9811: Patron search improvement	2014-07-01 09:57:09 -03:00
installer-doc-head-close.inc	Bug 13941: [2/2] Fix <body> tags missing id/class	2015-04-24 09:47:38 -03:00
intranet-bottom.inc	Bug 12597 - Give better visual indication of currently-selected language in the staff client	2014-08-05 20:49:20 -03:00
intranetstylesheet.inc
labels-menu.inc
labels-toolbar.inc
letters-search.inc
member-alt-address-style-de.inc	Bug 4041: (QA followup) fix issues raised by koha-qa.pl	2015-04-29 12:04:07 -03:00
member-alt-address-style-us.inc	Bug 4041: (QA followup) fix issues raised by koha-qa.pl	2015-04-29 12:04:07 -03:00
member-alt-contact-style-de.inc	Bug 4041: (QA followup) fix issues raised by koha-qa.pl	2015-04-29 12:04:07 -03:00
member-alt-contact-style-us.inc	Bug 4041: (QA followup) fix issues raised by koha-qa.pl	2015-04-29 12:04:07 -03:00
member-display-address-style-de.inc	Bug 4041: Third step - Display address on patron's pages using the system preference	2015-04-29 11:25:11 -03:00
member-display-address-style-us.inc	Bug 4041: Third step - Display address on patron's pages using the system preference	2015-04-29 11:25:11 -03:00
member-main-address-style-de.inc	Bug 4041: (QA followup) fix issues raised by koha-qa.pl	2015-04-29 12:04:07 -03:00
member-main-address-style-us.inc	Bug 4041: (QA followup) fix issues raised by koha-qa.pl	2015-04-29 12:04:07 -03:00
members-menu.inc	Bug 8007: Discharge - Glue	2015-04-30 12:33:53 -03:00
members-toolbar.inc	Bug 13970: Remove category_type related code	2015-06-11 10:11:01 -03:00
merge-record-strings.inc	Bug 12150 - Use more javascript string formatting in intranet for translated strings.	2014-07-03 09:52:48 -03:00
merge-record.inc
messaging-preference-form.inc	Bug 14127: Typo in message preference form - "mesage"	2015-05-06 10:39:54 -03:00
nl-search-form.tt	Bug 11401: Add support for Norwegian national library card	2014-11-14 09:42:23 -03:00
page-numbers.inc	Bug 13425 - XSS in intranet facets - Patch for 3.18 and master	2014-12-26 21:03:17 -03:00
patron-search-box.inc	Bug 11570 - Upgrade jQueryUI to latest version in the staff client	2014-04-07 15:37:27 +00:00
patron-search.inc	Bug 7380: Rename filter to avoid confusion	2015-05-19 10:10:31 -03:00
patron-title.inc	Bug 12648: Fix conflict with bug 8096	2015-03-11 14:16:17 -03:00
patron-toolbar.inc	Bug 11941: Add link to patron lists from the patron home page	2015-06-11 10:15:46 -03:00
patroncards-errors.inc
patroncards-menu.inc
patroncards-toolbar.inc
patrons-admin-search.inc
popup-bottom.inc
prefs-admin-search.inc
prefs-menu.inc	Bug 12190: fold the "Creators" system preference tab into "Tools"	2014-05-23 13:09:51 +00:00
printers-admin-search.inc
quotes-toolbar.inc
quotes-upload-toolbar.inc
reports-menu.inc
reports-toolbar.inc	Bug 12214: (follow-up) Clean up reports-toolbar.inc, show Edit link when SQL has errors	2014-05-09 14:40:15 +00:00
resort_form.inc
rotating-collections-toolbar.inc	Bug 8836 [Template follow-up] Resurrect Rotating Collections	2014-11-06 15:12:19 -03:00
search_indexes.inc	Bug 9368 [ALTERNATE] - specific behavior of yr and acqdate indexes	2014-10-22 15:16:55 -03:00
serials-menu.inc
serials-search.inc
serials-toolbar.inc	Bug 13662: Fix the serials.receive_serials permissions	2015-06-05 12:53:09 -03:00
slip-print.inc	Bug 11014 - Slip Print Problem in Chrome	2014-05-30 16:05:23 -03:00
stopwords-admin-search.inc
strings.inc	Bug 9528: Add delivery branch to the place hold display	2015-04-30 16:45:26 -03:00
subscriptions-search.inc	Bug 10971: Hide EAN search for MARC21 / template corrections	2015-04-24 20:14:52 -03:00
subtypes_unimarc.inc
suggestions-add-search.inc
timepicker.inc
tools-item-action.inc
tools-menu.inc	Bug 11395: Add links to the new tool page	2015-03-05 15:27:01 +01:00
tools-nomatch-action.inc
tools-overlay-action.inc
validator-strings.inc
vendor-menu.inc
virtualshelves-toolbar.inc	Bug 13986: Printing a list only prints the results of the page you are viewing	2015-05-15 16:01:33 -03:00
z3950-admin-search.inc	Bug 6536: QA Follow-up for string changes referring to Z39.50	2014-09-01 10:09:14 -03:00