]> git.koha-community.org Git - koha.git/commit
Bug 16587 opac-sendshelf.pl is vulnerable to XSS
authorChris Cormack <chris@bigballofwax.co.nz>
Wed, 25 May 2016 14:06:28 +0000 (14:06 +0000)
committerJulian Maurice <julian.maurice@biblibre.com>
Wed, 31 Aug 2016 09:33:46 +0000 (11:33 +0200)
commit7328543f23986206751f624032f6036fbe8c0e41
treeb7cd70c0628c795021f001a87d6c45a29f896026
parent64353ccb2dd4f276d3adb6d770daff2294614618
Bug 16587 opac-sendshelf.pl is vulnerable to XSS

To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendshelf.pl?email=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&shelfid=4
2/ Notice you get a js alert
3/ Apply patch
4/ Notice the js is now escaped

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 4e817ee04c2b5fbc2353ff382c6630322e57d8ae)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendshelfform.tt