]> git.koha-community.org Git - koha.git/commit
Bug 24412: (follow-up) prevent js injection
authorNicolas Legrand <nicolas.legrand@bulac.fr>
Thu, 5 Nov 2020 13:52:02 +0000 (14:52 +0100)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Fri, 6 Nov 2020 14:55:17 +0000 (15:55 +0100)
commitf806ae6277e95048851b32ecc70772e1793a5d43
treeaef335ed0268cfcae3ca7982aad0d6a75e18903f
parent3de906ac139852793ea06a41d7af284d6059e7bf
Bug 24412: (follow-up) prevent js injection

Some js variables are not properly escaped and can be executed if
containing javascript.

1. have some waiting reserve attached to a desk
2. change this desk name to : <script>alert("❤");</script>
3. go to user's checkout page (circulation.pl) and click on the
Hold(s) tab
4. you should see some popup with a ❤ in it.
5. apply patch and refresh page
6. now you should see the desk name printed properly in the page:
<script>alert("❤");</script>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
koha-tmpl/intranet-tmpl/prog/js/holds.js