From d35384c039b8db00659d1cd0ee08cfb50c45481e Mon Sep 17 00:00:00 2001 From: Chris Date: Sun, 21 Jun 2015 08:33:13 +0000 Subject: [PATCH] Bug 14423 XSS bug in auth_subfields_structure 1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E 2/ Notice a ton of alert boxes pop up 3/ Apply patch 4/ Reload url, no longer get any alerts 5/ Test fuctionality still works Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Chris Cormack --- .../modules/admin/auth_subfields_structure.tt | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt index 87b468b5a9..5d4b0bf7c1 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt @@ -27,11 +27,11 @@ function displayMoreConstraint(numlayer){ [% INCLUDE 'cat-search.inc' %]