git.koha-community.org Git - koha.git/commit

author	Artur <artur.norrby@gmail.com>
	Sat, 7 Sep 2024 16:12:05 +0000 (18:12 +0200)
committer	Aleisha Amohia <aleishaamohia@hotmail.com>
	Tue, 5 Nov 2024 22:46:04 +0000 (22:46 +0000)
commit	b576548223badb76272e9f28c1b24ca0e87caebf
tree	e28737774eed3a5a70d9bc7b1a921557757097d6	tree \| snapshot
parent	0c67fb93007de1c751b215332b2d10b2e40121f5	commit \| diff

Bug 37861: Fix XSS vulnerability in barcode append function

When user inputs were appended directly to the barcode table, the values were not properly escaped, allowing potential XSS attacks. This patch ensures that user inputs are sanitized and safely added to the DOM using .text() and .attr() methods to prevent script injection.

To test:
Enable the "SelfCheckInModule".
Open the barcode input form.
Enter a barcode with HTML or script tags.
Without the patch, observe that the script is executed.
Apply the patch.
Repeat step 2.
Verify that the input is escaped and no script execution occurs.
Check that the barcode is properly appended to the table.

Documentation:
No updates required.

Sponsored-by: KillerRabbitAos
Signed-off-by: Bo Gustavsson <bosse@gustavsson.one>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>