From 4a80c0483ee87cde8a065c425a519a471ed6fcb3 Mon Sep 17 00:00:00 2001 From: Liz Date: Mon, 5 Jan 2015 02:32:32 +0000 Subject: [PATCH] Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves A specially crafted url causes XSS in Koha To test: cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves These should cause a popup without the patch. With the patch, no popup. You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't have permission to view them. Signed-off-by: Chris Fixes the two listed problems Signed-off-by: Katrin Fischer Confirmed patch fixes the problem. Signed-off-by: Martin Renvoize Signed-off-by: Mason James (cherry picked from commit 0718ced5e452a3d295597d1b5ef976a6772610eb) Signed-off-by: Fridolin Somers Conflicts: koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt --- .../en/modules/opac-downloadshelf.tt | 4 +-- .../bootstrap/en/modules/opac-shelves.tt | 36 +++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt index 1d38e61f55..b9274488c1 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt @@ -23,7 +23,7 @@ [% FOREACH csv_profile IN csv_profiles %] - + [% END %] @@ -31,7 +31,7 @@
- Cancel + Cancel
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt index 7d77432c38..a97417328d 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt @@ -148,10 +148,10 @@
New list | - Download list + Download list [% IF Koha.Preference( 'opacuserlogin' ) == 1 %] - Send list + Send list [% END %] Print list @@ -161,13 +161,13 @@
- +
- + [% IF ( showprivateshelves ) %] [% END %] @@ -177,7 +177,7 @@
- + + [% END %]
@@ -470,13 +470,13 @@ - +
- + [% IF ( showprivateshelves ) %] [% END %] @@ -496,13 +496,13 @@ [% END # / IF viewshelf %] [% IF ( itemsloop && allowremovingitems ) %] - + - +
[% ELSIF ( !itemsloop && manageshelf ) %]
- + @@ -513,7 +513,7 @@ - +
Editing [% shelfname |html %]
    @@ -573,9 +573,9 @@
    [% IF ( showprivateshelves ) %] - Cancel + Cancel [% ELSE %] - Cancel + Cancel [% END %]
    @@ -630,7 +630,7 @@ [% IF ( shelveslooppri.mine ) %]
    - + @@ -638,10 +638,10 @@ - - + + [% IF ( shelveslooppri.confirm ) %] - + [% ELSE %] -- 2.39.5