From d0c34a3bacc72a0ba8b516e3ea95aa173b7fae34 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 2 Aug 2016 14:15:09 +0100 Subject: [PATCH] Bug 17023: Fix XSS in acqui/z3950_search.pl MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Test plan: Enter the following in the different inputs: => Without this patch you will see the alert => With this patch, no more alert Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Brendan Gallagher (cherry picked from commit eb543a90848b97d35aa15052c8881134926a3ed0) Signed-off-by: Frédéric Demians (cherry picked from commit 7cb27f092a4c699fcd428083383eef6f515da3e3) Signed-off-by: Julian Maurice --- .../prog/en/modules/acqui/z3950_search.tt | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/z3950_search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/z3950_search.tt index 909297feee..d19219a0e0 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/z3950_search.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/z3950_search.tt @@ -85,7 +85,7 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color : [% INCLUDE 'header.inc' %] [% INCLUDE 'acquisitions-search.inc' %] - +
@@ -98,11 +98,11 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
  1. -
  2. +
  3. -
  4. -
  5. +
  6. +
  7. @@ -120,9 +120,9 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :

Clear search form

- - - + + +

Search targets Select allClear all

@@ -142,7 +142,7 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
-
Cancel
+
Cancel
@@ -150,14 +150,14 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :

Search results

You searched for: - [% IF ( title ) %]Title: [% title %] [% END %] - [% IF ( author ) %]Author: [% author %] [% END %] - [% IF ( isbn ) %]ISBN: [% isbn %] [% END %] - [% IF ( issn ) %]ISSN: [% issn %] [% END %] - [% IF ( lccall ) %]LC call number: [% lccall %] [% END %] - [% IF ( subject ) %]Subject heading: [% subject %] [% END %] - [% IF ( controlnumber ) %]Control no: [% controlnumber %] [% END %] - [% IF ( dewey ) %]Dewey: [% dewey %] [%END %] + [% IF ( title ) %]Title: [% title | html %] [% END %] + [% IF ( author ) %]Author: [% author | html %] [% END %] + [% IF ( isbn ) %]ISBN: [% isbn | html %] [% END %] + [% IF ( issn ) %]ISSN: [% issn | html %] [% END %] + [% IF ( lccall ) %]LC call number: [% lccall | html %] [% END %] + [% IF ( subject ) %]Subject heading: [% subject | html %] [% END %] + [% IF ( controlnumber ) %]Control no: [% controlnumber | html %] [% END %] + [% IF ( dewey ) %]Dewey: [% dewey | html %] [%END %]

[% IF ( breeding_loop ) %] @@ -175,13 +175,13 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color : [% IF ( breeding_loo.breedingid ) %] [% IF ( breeding_loo.toggle ) %][% ELSE %][% END %] - [% breeding_loo.server %] + [% breeding_loo.server %] [% breeding_loo.title |html %] [% breeding_loo.author %] [% breeding_loo.isbn %] [% breeding_loo.lccn %] MARC | Card - Order + Order [% END %] @@ -192,16 +192,16 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color : - - - - - - - - - - + + + + + + + + + + [% FOREACH server IN servers %] -- 2.39.5