git.koha-community.org Git - koha.git/commit

Bug 19112 - Stored XSS in basketheader.pl page

To Test

1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.

Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 65c7b505ee56f088f3c475595e53fbe53a77d4a2)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

author	Amit Gupta <amit.gupta@informaticsglobal.com>
	Tue, 15 Aug 2017 14:21:48 +0000 (19:51 +0530)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Wed, 23 Aug 2017 15:00:28 +0000 (17:00 +0200)
commit	6bdc17da42b62d351593540577a06a6827be94ff
tree	70b378293fe3fcd23f754c7d4b8120c7dd15c2a2	tree \| snapshot
parent	f2fad9d2b884c8b52def21f00b9c78542ed58a49	commit \| diff

koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt		diff \| blob \| history