Koha/koha-tmpl/intranet-tmpl/prog/js
Nicolas Legrand f806ae6277 Bug 24412: (follow-up) prevent js injection
Some js variables are not properly escaped and can be executed if
containing javascript.

1. have some waiting reserve attached to a desk
2. change this desk name to : <script>alert("❤");</script>
3. go to user's checkout page (circulation.pl) and click on the
Hold(s) tab
4. you should see some popup with a ❤ in it.
5. apply patch and refresh page
6. now you should see the desk name printed properly in the page:
<script>alert("❤");</script>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-11-06 15:55:17 +01:00
..
pages Bug 26154: Remove the use of jquery.checkboxes plugin from batch item deletion and modification 2020-10-12 11:28:41 +02:00
acq.js Bug 26217: Move translatable strings out of templates into acq.js 2020-09-29 14:28:18 +02:00
acquisitions-menu.js Bug 24347: Add a 'search to order' option similar to 'search to hold' 2020-01-30 10:58:03 +00:00
additem.js Bug 25353: Correct eslint errors in additems.js 2020-10-26 00:14:42 +01:00
addorderiso2709.js Bug 26339: Move translatable strings out of addorderiso2709.tt into addorderiso2709.js 2020-09-29 14:28:18 +02:00
admin-menu.js
ajax.js Bug 26237: Move translatable strings out of preferences.tt and into JavaScript files 2020-09-29 14:28:18 +02:00
audio_alerts.js Bug 26225: Move translatable strings out of audio_alerts.tt and into audio_alerts.js 2020-09-29 14:28:18 +02:00
auth-finder-search.js
automatic_item_modification_by_age.js
background-job-progressbar.js Bug 18707: Background jobs post disabled inputs 2019-07-15 11:27:59 +01:00
basket.js Bug 26439: Move cart-related strings out of js_includes.inc and into basket.js 2020-11-04 12:59:34 +01:00
basketgroup.js
biblio_framework.js Bug 26225: Move translatable strings out of biblio_framework.tt and into biblio_framework.js 2020-09-29 14:28:18 +02:00
calendar.js Bug 26261: Split calendar.inc into include file and JavaScript file 2020-09-29 14:28:19 +02:00
cart.js Bug 26439: (QA follow-up) Correct MSG instances in cart.js 2020-11-04 12:59:34 +01:00
catalog.js Bug 26441: Move translatable strings out of catalog-strings.inc into catalog.js 2020-09-29 14:28:18 +02:00
cataloging.js Bug 22399: Improve responsive behavior of the basic marc editor 2020-11-04 12:59:33 +01:00
cataloging_additem.js Bug 25727: Do not open options on clear 2020-08-24 11:19:03 +02:00
categories.js Bug 26229: Move translatable strings out of categories.tt and into categories.js 2020-09-29 14:28:18 +02:00
charts.js
checkouts.js Bug 19351: Add items.copynumber to the checkouts table 2020-11-04 12:59:34 +01:00
circ-patron-search-results.js
datatables.js Bug 25287: Make the strings from .js translatable 2020-06-24 15:15:41 +02:00
desk_selection.js Bug 24201: (follow-up) add desk choice with library choice 2020-08-07 16:54:40 +02:00
file-upload.js
funds_sorts.js
holds.js Bug 24412: (follow-up) prevent js injection 2020-11-06 15:55:17 +01:00
ill-availability-partner.js Bug 23173: (follow-up) Display available partners 2020-04-06 11:04:59 +01:00
ill-availability.js Bug 23173: Provide core infrastructure 2020-04-06 11:04:19 +01:00
ill-list-table.js Bug 24043: (QA follow-up) Fix another TypeError when retrieving status name 2020-05-01 08:10:35 +01:00
item_search_fields.js Bug 26230: Move translatable strings out of item_search_fields.tt and into item_search_fields.js 2020-09-29 14:28:18 +02:00
letter.js Bug 26395: Move translatable strings out of letter.tt into letter.js 2020-09-29 14:28:18 +02:00
localcovers.js Bug 25031: (QA follow-up) Improve handling of one or fewer images 2020-07-24 14:09:30 +02:00
mana.js Bug 22249: Mana - Move comment process in a dedicated sub 2019-07-26 16:08:08 +01:00
marc_modification_templates.js Bug 26065: Move translatable strings out of marc_modification_templates.tt and into marc_modification_templates.js 2020-08-18 15:45:49 +02:00
marc_subfields_structure.js Bug 25826: Forbid changing the hidden attributes for biblionumber 2020-08-07 09:55:50 +02:00
members-menu.js Bug 26334: Move translatable strings out of members-menu.inc into members-menu.js 2020-09-29 14:28:18 +02:00
members.js Bug 26245: Remove unused functions from members.js 2020-09-29 14:28:18 +02:00
merge-record.js Bug 25320: Move translatable strings out of merge-record-strings.inc into merge-record.js 2020-09-29 14:28:19 +02:00
messaging-preference-form.js Bug 22744: Changes for opac and remove JS 2019-09-23 11:57:46 +01:00
offlinecirc.js Bug 24545: (follow-up) Fix license statements 2020-02-24 13:31:27 +00:00
onboarding.js
register_selection.js Bug 24786: Allow selection of cash register at login 2020-11-06 15:39:59 +01:00
rotating-collections.js Bug 23013: Upgrade DataTables in the staff client 2019-08-22 15:23:19 +01:00
select2.js Bug 22399: Improve responsive behavior of the basic marc editor 2020-11-04 12:59:33 +01:00
serials-toolbar.js Bug 26256: Move translatable strings out of templates and into serials-toolbar.js 2020-09-29 14:28:18 +02:00
showpredictionpattern.js
sms_providers.js Bug 26240: Move translatable strings out of sms_providers.tt and into sms_providers.js 2020-09-29 14:28:18 +02:00
staff-global.js Bug 26562: Removes 'searches' from localStorage on logout 2020-09-29 14:28:19 +02:00
subscription-add.js Bug 23888: (follow-up) Wrap English string in translation function 2020-03-27 12:14:21 +00:00
table_filters.js Bug 24662: Remove global variables MSG_* from datatables.inc 2020-03-11 13:49:15 +00:00
tools-menu.js
viewlog.js Bug 26572: (QA follow-up) Escape strings in autocomplete 2020-11-04 12:59:34 +01:00
xmlControlfield.js
z3950_search.js Bug 26291: (follow-up) Correct stray MSG instances 2020-09-29 14:28:19 +02:00