From 683f9ec507276af1737d6fba4ba653a38557bf78 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 11 Aug 2017 19:36:43 +0000 Subject: [PATCH] Bug 19086 XSS in members/member.pl To test 1/ hit /cgi-bin/koha/members/member.pl?&searchmember= 2/ Notice js is executed 3/ Apply patch, reload 4/ js is now escaped Signed-off-by: Amit Gupta Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Mason James --- koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt index 3199fb1bb9..b597a8f9c0 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt @@ -114,7 +114,7 @@ var dtMemberResults; var search = 1; $(document).ready(function() { [% IF searchmember %] - $("#searchmember_filter").val("[% searchmember %]"); + $("#searchmember_filter").val("[% searchmember | html %]"); [% END %] [% IF searchfieldstype %] $("searchfieldstype_filter").val("[% searchfieldstype %]"); @@ -356,7 +356,7 @@ function filterByFirstLetterSurname(letter) {