git.koha-community.org Git - koha.git/commit

author	Liz <wizzyrea@gmail.com>
	Mon, 5 Jan 2015 02:32:32 +0000 (02:32 +0000)
committer	Tomas Cohen Arazi <tomascohen@gmail.com>
	Thu, 22 Jan 2015 19:35:47 +0000 (16:35 -0300)
commit	52fe1238915bf88fbb5f048029b67250e59409a0
tree	e885337e0afe22f8ee5756ba3886c9cf6ae1cb7d	tree \| snapshot
parent	312bf659565766ac57e68155cbeaa08f316be83c	commit \| diff

Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves

A specially crafted url causes XSS in Koha

To test:

cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E

cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves

These should cause a popup without the patch. With the patch, no popup.

You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
have permission to view them.

Signed-off-by: Chris <chris@bigballofwax.co.nz>
Fixes the two listed problems

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed patch fixes the problem.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>

koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt		diff \| blob \| history
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt		diff \| blob \| history