From 2301be80b1be5213bcd265d221f0303f43b1e5ff Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 19 Jun 2015 11:41:45 +1200 Subject: [PATCH] Bug 14418 : More XSS vulnerabilities in opac-shelves.pl To test: 1/ Hit a url like /cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="> Where the id is a valid shelf id 2/ Notice the js is executed 3/ Apply patch 4/ Reload page 5/ Notice input is now escaped on display Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Tested in Debian, couldn't reproduce the alert in Iceweasel, but in Chromium. Patch fixes it. --- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt index 6bdf174542..f31f86fd37 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt @@ -527,7 +527,7 @@ [% IF ( edit ) %]
- +
Editing [% shelfname |html %] -- 2.39.5