]> git.koha-community.org Git - koha.git/commit
Bug 19051 - XSS Flaws in - Batch record deletion page
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Mon, 7 Aug 2017 15:38:36 +0000 (21:08 +0530)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 29 Aug 2017 15:00:37 +0000 (12:00 -0300)
commit92d58c60b0fa20a4c1e67edaf6cd4be50dcdce21
treeee21f1bbbc421c04111190a61c6acf87fdd46025
parent0cf9eb0cfbedf7a5a852b86a6e4e6ce4fbc43c14
Bug 19051 - XSS Flaws in - Batch record deletion page

1. Hit /cgi-bin/koha/tools/batch_delete_records.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Record number list (one per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Record number list (one per line) text area.
6. Notice it is no longer executed.
7. Fixes for both biblio and authority records.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt