From 0907aa7fe9643aa4eda0d59d8c0765bc7d7a9318 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 15:22:33 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: subscription-add.tt Test the process of adding a subscription, entering both a valid vendor ID and a non-existent vendor ID. The non-existent vendor ID should trigger a validation alert. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit 583aad8e48790443a14ac4b7dfe85fa1bdeb91a2) Signed-off-by: Victor Grousset/tuxayo --- .../intranet-tmpl/prog/en/modules/serials/subscription-add.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt index bbeab8ac65..f9756bb8ab 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt @@ -556,7 +556,7 @@ fieldset.rows table { clear: none; margin: 0; } var MSG_MANA_NO_SUBSCRIPTION_FOUND = _("No subscription found on Mana Knowledge Base"); var MSG_MANA_SHARE_PATTERN = _("Please feel free to share your pattern with all others librarians once you are done"); - var BOOKSELLER_IDS = [% To.json( bookseller_ids ) || '[]' | $raw %]; + var BOOKSELLER_IDS = [% To.json( bookseller_ids ) || '[]' | html %]; [% Asset.js("js/subscription-add.js") | $raw %] [% Asset.js("js/showpredictionpattern.js") | $raw %] -- 2.39.5