Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves
A specially crafted url causes XSS in Koha
To test:
cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E
cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves
These should cause a popup without the patch. With the patch, no popup.
You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
have permission to view them.
Signed-off-by: Chris <chris@bigballofwax.co.nz>
Fixes the two listed problems
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed patch fixes the problem.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit
0718ced5e452a3d295597d1b5ef976a6772610eb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Conflicts:
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt