Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/acqui
History
Amit Gupta d31c635fe2 Bug 19112 - Stored XSS in basketheader.pl page 
To Test

1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.

Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00
..
csv Bug 18331: POST_CHOMP everywhere! 2017-08-15 12:17:41 -03:00
tables
acqui-home.tt
addorder.tt
addorderiso2709.tt Bug 15503 (QA Followup) 2017-02-14 15:11:03 +00:00
ajax.tt
basket.tt Bug 19112 - Stored XSS in basketheader.pl page 2017-08-29 12:00:37 -03:00
basketgroup.tt
basketheader.tt Bug 19112 - Stored XSS in basketheader.pl page 2017-08-29 12:00:37 -03:00
booksellers.tt Bug 19112 - Stored XSS in basketheader.pl page 2017-08-29 12:00:37 -03:00
cancelorder.tt
edi_ean.tt
edifactmsgs.tt
edimsg.tt
histsearch.tt
invoice-files.tt
invoice.tt Bug 11122: Follow up - Fix some display issues and typos 2017-06-05 11:48:16 -03:00
invoices.tt Bug 19052 - XSS Flaws in - Invoice search page 2017-08-29 12:00:37 -03:00
lateorders.tt
modordernotes.tt
neworderbiblio.tt
neworderempty.tt Bug 18525: (bug 14828 follow-up) FIX ordering from suggestion when item-level_itypes = biblio 2017-05-12 08:50:40 -04:00
neworderempty_duplicate.tt
newordersubscription.tt
newordersuggestion.tt Bug 17899 - Show only mine does not work in newordersuggestion.pl 2017-01-20 14:10:36 +00:00
ordered.tt Bug 17771: Add link to bibliographic record on spent/ordered lists in acquisitions 2017-01-19 11:44:29 +00:00
orderreceive.tt Bug 14541: Do not truncate tax rate values 2016-12-09 16:29:33 +00:00
parcel.tt Bug 18722: Fund name is not shown in received orders fund subtotals 2017-06-09 11:32:48 -03:00
parcels.tt
spent.tt Bug 17771 [QA Followup] - Tidy table html 2017-01-19 11:48:55 +00:00
supplier.tt Bug 19118 - Due to wrong variable name passed vendor name is not coming in browser title bar 2017-08-25 12:12:25 -03:00
transferorder.tt Bug 11122: Follow up - Fix some display issues and typos 2017-06-05 11:48:16 -03:00
uncertainprice.tt Bug 11122: Follow up - Fix some display issues and typos 2017-06-05 11:48:16 -03:00
z3950_search.tt Bug 17487: Styling moved from style attribute into staff-global.css 2017-01-20 14:11:55 +00:00