From 592653f067eb7580ab50425756e884b50b551f1c Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Thu, 26 May 2016 21:33:33 +1200 Subject: [PATCH] Bug 16597: Fix XSS in opac-shareshelf To test 1/ Go to /cgi-bin/koha/opac-shareshelf.pl?op=">&shelfnumber=5 2/ Notice you see a js alert 3/ Apply patch 4/ It is gone Reported by Alex Middleton at Dionach Signed-off-by: Chris Cormack Signed-off-by: Marcel de Rooy Signed-off-by: Brendan Gallagher (cherry picked from commit c47c835672a8fcd8c7df79663443f01639fc7657) Signed-off-by: Julian Maurice (cherry picked from commit 8d6486013b504fa652b43b2a20c3bb4da25034fd) Signed-off-by: Chris Cormack --- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt index 3605ef6a3b..2e3ed314e9 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt @@ -32,7 +32,7 @@
[% IF errcode %] - [% IF errcode==1 && op %]
The operation [% op %] is not supported.
[% END %] + [% IF errcode==1 && op %]
The operation [% op | html %] is not supported.
[% END %] [% IF errcode==1 && !op %]
No operation parameter has been passed.
[% END %] [% IF errcode==2 %]
Invalid shelf number.
[% END %] [% IF errcode==3 %]
The feature of sharing lists is not in use in this library.
[% END %] -- 2.39.5