]> git.koha-community.org Git - koha.git/commit
Bug 19738: Fix XSS on vendor name in serials module
authorJosef Moravec <josef.moravec@gmail.com>
Sun, 3 Dec 2017 22:21:57 +0000 (22:21 +0000)
committerNick Clemens <nick@bywatersolutions.com>
Fri, 26 Jan 2018 12:01:37 +0000 (07:01 -0500)
commit0a372c2b1ebcc9ce6ce4310fc227b801fe04cc85
tree011badbfc40ba775005d2d20fecd81147ea6a260
parentb9b75c03341d70ae9c3d84471c4a9ef3809d34a9
Bug 19738: Fix XSS on vendor name in serials module

Test plan:

1) do not apply this patch
2) Have at least one vendor which name does contain javascript, for
example: <i>Vendor 1</i><script>alert('Hi');</script>
3) go to serial module and create new subscription
4) use "Search for vendor"
5) Search for your vendor, when search results table is presented, the
javascript is executed
6) go through subscription creation and save the new subscription
7) On subscription detail page, the javascript is executed as well
8) apply this patch
9) Repeat 3-7, the script is not executed, the input is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
koha-tmpl/intranet-tmpl/prog/en/modules/serials/acqui-search-result.tt
koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt