]> git.koha-community.org Git - koha.git/commit
Bug 19114 - Stored XSS in parcels.pl
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Tue, 15 Aug 2017 15:28:34 +0000 (20:58 +0530)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 29 Aug 2017 15:00:37 +0000 (12:00 -0300)
commit8534ca278022e82f55b1907bac31afa7e86b9d5f
tree436e0038ad799062dc2c210eebbbfac8aa0378c6
parentd31c635fe2cc6d0b715661d35a02723a48e42e2b
Bug 19114 - Stored XSS in parcels.pl

Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
   xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped

Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcels.tt