From 682e706a4ac10b416b51bdb1ea8894dbe21b345e Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Wed, 27 Nov 2013 05:37:07 +1300 Subject: [PATCH] Bug 11307: Fix potential XSS attack in public catalog RSS feed To test: 1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=a&count=50"'

test

&sort_by=acqdate_dsc&format=rss2 2/ look at the source, notice 50"'

test

3/ apply the patch, and reload url 4/ source now contains 50"'<h1>test</h1> Signed-off-by: Mark Tompsett Signed-off-by: Martin Renvoize Signed-off-by: Galen Charlton --- koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt index 2d51ba6ba6..ff2b23c709 100644 --- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt +++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt @@ -24,7 +24,7 @@ [% total %] [% offset %] [% IF ( results_per_page ) %] - [% results_per_page %] + [% results_per_page |html %] [% ELSE %] 20 [% END %] -- 2.39.5