From 44814081a72a995a91f7057d9158b18167c65dca Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 11 Aug 2017 19:36:43 +0000 Subject: [PATCH] Bug 19086 XSS in members/member.pl To test 1/ hit /cgi-bin/koha/members/member.pl?&searchmember= 2/ Notice js is executed 3/ Apply patch, reload 4/ js is now escaped Signed-off-by: Amit Gupta Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 5ae18484b5a47e8a00ce8f1a0fd8b3db471947eb) Signed-off-by: Fridolin Somers --- koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt index f8f2471bd7..73598d8e7c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt @@ -115,7 +115,7 @@ var dtMemberResults; var search = 1; $(document).ready(function() { [% IF searchmember %] - $("#searchmember_filter").val("[% searchmember %]"); + $("#searchmember_filter").val("[% searchmember | html %]"); [% END %] [% IF searchfieldstype %] $("searchfieldstype_filter").val("[% searchfieldstype %]"); @@ -357,7 +357,7 @@ function filterByFirstLetterSurname(letter) {
-

Patrons found for: [% IF searchmember %] for '[% searchmember %]'[% END %]

+

Patrons found for: [% IF searchmember %] for '[% searchmember | html %]'[% END %]

[% IF CAN_user_tools_manage_patron_lists %]
-- 2.39.5