]> git.koha-community.org Git - koha.git/commit
projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1e74b19) | patch
Bug 19051 - XSS Flaws in - Batch record deletion page
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Mon, 7 Aug 2017 15:38:36 +0000 (21:08 +0530)
committerMason James <mtj@kohaaloha.com>
Thu, 24 Aug 2017 05:56:07 +0000 (17:56 +1200)
commitc8f66aa7d350a154e658119afd0abc29ff377bc3
tree686cf8ddbc22a6d23473c391af6909b3fba66930tree | snapshot
parent1e74b19207b0b137788eee44e0456ef682479e1ecommit | diff
Bug 19051 - XSS Flaws in - Batch record deletion page

1. Hit /cgi-bin/koha/tools/batch_delete_records.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Record number list (one per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Record number list (one per line) text area.
6. Notice it is no longer executed.
7. Fixes for both biblio and authority records.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt diff | blob | history
Main Koha release repository