From 13147e7c05daa73a4f562541c3a7f8c98747bc83 Mon Sep 17 00:00:00 2001 From: Katrin Fischer Date: Wed, 16 Aug 2017 12:59:13 +0200 Subject: [PATCH] Bug 19086 - Follow-up - XSS in supplier.tt In preparation: Make sure you enter in all fields of a new vendor that are not validated and save. 1) Access vendor summary page. 2) Verify scripts are executed 3) Apply patch 4) Verify scripts are on longer executed This works in combination with the other patches for XSS on this bug. Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 14a1aba57cc091a70c527a0d6bd495d21bd87345) Signed-off-by: Fridolin Somers --- .../intranet-tmpl/prog/en/modules/acqui/supplier.tt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt index b0e127b7e4..86e51e5a48 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt @@ -57,7 +57,7 @@ [% END %] [% BLOCK show_contact %] -

[% contact.name %]

+

[% contact.name |html %]

Position: [% contact.position |html %]

Phone: [% contact.phone |html %]

Alternative phone: [% contact.altphone |html %]

@@ -169,7 +169,7 @@ function delete_contact(ev) { [% INCLUDE 'header.inc' %] [% INCLUDE 'acquisitions-search.inc' %] - +
@@ -178,7 +178,7 @@ function delete_contact(ev) {
[% IF ( enter ) %] [% IF ( booksellerid ) %] -

Update: [% name %]

+

Update: [% name |html %]

[% ELSE %]

Add vendor

[% END %] @@ -318,11 +318,11 @@ function delete_contact(ev) {
[% ELSE %] -

[% name %]

+

[% name |html %]

Vendor details

-

Company name: [% name %]

+

Company name: [% name |html %]

Postal address: [% postal |html %]

Physical address: [% address1 |html %][% address2 |html %][% address3 |html %][% address4 |html %]

Phone: [% phone |html %]

-- 2.39.5