]> git.koha-community.org Git - koha.git/commit
Bug 14418: More XSS vulnerabilities in opac-shelves.pl
authorChris Cormack <chrisc@catalyst.net.nz>
Thu, 18 Jun 2015 23:41:45 +0000 (11:41 +1200)
committerFridolin Somers <fridolin.somers@biblibre.com>
Tue, 23 Jun 2015 09:50:22 +0000 (11:50 +0200)
commitb9ebf70d9583d761d8db9eaf503ebe9498bc01e0
tree886c316c5c99a20a5111bd16fed11450daec9bcc
parentf62614fc091ba5b929189d12be10eae2643357d7
Bug 14418: More XSS vulnerabilities in opac-shelves.pl

To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script>  Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit cd4c959f7226b060f683f5571f030cc2df7539ca)
(cherry picked from commit f9569612b65798dce457b5650a5b5162b80b12e8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt