]> git.koha-community.org Git - koha.git/commit
Bug 11307: Fix potential XSS attack in public catalog RSS feed
authorChris Cormack <chris@bigballofwax.co.nz>
Tue, 26 Nov 2013 16:37:07 +0000 (05:37 +1300)
committerGalen Charlton <gmc@esilibrary.com>
Tue, 26 Nov 2013 18:18:09 +0000 (18:18 +0000)
commit682e706a4ac10b416b51bdb1ea8894dbe21b345e
tree403f5dbc0a20324d3913a142607c3b0250acc765
parent3fe0e784516309050fc5b6eda1ab7fdaf7643048
Bug 11307: Fix potential XSS attack in public catalog RSS feed

To test:
1/ Craft a url like
/cgi-bin/koha/opac-search.pl?q=a&count=50"'<h1>test</h1>&sort_by=acqdate_dsc&format=rss2
2/ look at the source, notice
<opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage>
3/ apply the patch, and reload url
4/ source now contains
 <opensearch:itemsPerPage>50&quot;'&lt;h1&gt;test&lt;/h1&gt;</opensearch:itemsPerPage>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt