]> git.koha-community.org Git - koha.git/commit
Bug 35960: Use .val() instead of string concat to prevent potential XSS
authorJulian Maurice <julian.maurice@biblibre.com>
Thu, 1 Feb 2024 08:15:23 +0000 (09:15 +0100)
committerFrédéric Demians <f.demians@tamil.fr>
Tue, 19 Mar 2024 07:18:20 +0000 (08:18 +0100)
commit193ac375aa5e9f30b4a3421cdca54856ebce3ea8
tree21b6714998774cfb2bd2291486eda0231a138af1
parent652e3819bd35117aa7a388eeb06f8a9ee188b031
Bug 35960: Use .val() instead of string concat to prevent potential XSS

Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
   fragment. It should be URI-encoded.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5409e17fb5abe0130f3cb2cd6c3d2a7707a5b251)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt