git.koha-community.org Git - koha.git/commit

]> git.koha-community.org Git - koha.git/commit

projects / koha.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: 5950aed) | patch

author	Amit Gupta <amit.gupta@informaticsglobal.com>
	Wed, 16 Aug 2017 12:26:17 +0000 (17:56 +0530)
committer	Katrin Fischer <katrin.fischer.83@web.de>
	Tue, 19 Sep 2017 21:15:10 +0000 (23:15 +0200)
commit	aa628f89fd356d6d4d975e68419844cb94d1cb73
tree	718305d181b9b4373ef162da6da4303388179d10	tree \| snapshot
parent	5950aed63ac3dcb88a64c0b6297dd70c4e7fb61c	commit \| diff

Bug 19127 - Stored XSS in csv-profiles.pl

To Test
1. Hit the page /cgi-bin/koha/tools/csv-profiles.pl?op=add_form
2. Add a text in the field Profile name, Profile description
and Profile MARC fields that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 7a3ee2dd8cb233d083d8a7b8636eca7c6d518b8b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 9b4777878f59c7a0c3653f54b6a2cff85bb278a8)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

koha-tmpl/intranet-tmpl/prog/en/modules/tools/csv-profiles.tt

diff | blob | history

Main Koha release repository