From cf373de7a8e811032b1d6a9ebac1652bed87a59e Mon Sep 17 00:00:00 2001 From: Katrin Fischer Date: Wed, 16 Aug 2017 14:34:17 +0200 Subject: [PATCH] Bug 19128 - XSS - patron-attr-types.tt, authorised_values.tt and categories.tt Preparation: - Add a branch with script in the branch name - Add a patron category with script in the category name - Add a new authorised value cateogory with script - Add a new authroised value for this category with script in all possible fields - Test editing patron categories - Test editing patron attribute types - Test viewing and editing authorised values Verify that with this script there is no more script executed and everything works fine. Signed-off-by: Amit Gupta Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 6b7ad77fffd7a6c4b69bce5bf666c6ff4be76c5b) Signed-off-by: Fridolin Somers (cherry picked from commit 8b85e835541e650cfa4c867bcd65fc5d03334613) Signed-off-by: Katrin Fischer --- .../prog/en/modules/admin/authorised_values.tt | 18 +++++++++--------- .../prog/en/modules/admin/categories.tt | 4 ++-- .../prog/en/modules/admin/patron-attr-types.tt | 10 +++++----- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt index f4f56cf75e..4f6acf8fe7 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt @@ -109,9 +109,9 @@ $(document).ready(function() { [% FOREACH branch IN branches_loop %] [% IF ( branch.selected ) %] - + [% ELSE %] - + [% END %] [% END %] @@ -164,7 +164,7 @@ $(document).ready(function() { [% IF op == 'list' %] @@ -207,9 +207,9 @@ $(document).ready(function() { @@ -250,7 +250,7 @@ $(document).ready(function() { [% IF ( category == 'NOT_LOAN' ) %]

Statuses to describe why an item is not for loan

[% END %] -

Authorized values for category [% category %]:

+

Authorized values for category [% category |html %]:

[% IF ( loop ) %]
[% END %] @@ -272,8 +272,8 @@ $(document).ready(function() { [% END %] [% loo.authorised_value %] - [% loo.lib %] - [% loo.lib_opac %] + [% loo.lib |html %] + [% loo.lib_opac |html %] [% IF ( loo.imageurl ) %][% ELSE %] [% END %] [% IF loo.branches.size > 0 %] @@ -296,7 +296,7 @@ $(document).ready(function() { [% END %] [% ELSE %] -
There are no authorized values defined for [% category %]
+
There are no authorized values defined for [% category |html %]
[% END %] [% IF ( isprevpage ) %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt index f5224c554c..95c51ddffc 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt @@ -160,9 +160,9 @@ [% FOREACH branch IN branches_loop %] [% IF branch.selected %] - + [% ELSE %] - + [% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt index 6fb7c97778..ec6b0afbf2 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt @@ -154,9 +154,9 @@ $(document).ready(function() { [% FOREACH branch IN branches_loop %] [% IF ( branch.selected ) %] - + [% ELSE %] - + [% END %] [% END %] @@ -168,7 +168,7 @@ $(document).ready(function() { Choose one to limit this attribute to one patron type. Please leave blank if you want these attributes to be available for all types of patrons. @@ -180,11 +180,11 @@ $(document).ready(function() { [% FOREACH class IN classes_val_loop %] [% IF class.authorised_value == category_class %] [% ELSE %] [% END %] [% END %] -- 2.39.5