From ffedb03412b100d296f64a3f7e4eeecde3f5680d Mon Sep 17 00:00:00 2001 From: Katrin Fischer Date: Wed, 16 Aug 2017 14:34:17 +0200 Subject: [PATCH] Bug 19128 - XSS - patron-attr-types.tt, authorised_values.tt and categories.tt Preparation: - Add a branch with script in the branch name - Add a patron category with script in the category name - Add a new authorised value cateogory with script - Add a new authroised value for this category with script in all possible fields - Test editing patron categories - Test editing patron attribute types - Test viewing and editing authorised values Verify that with this script there is no more script executed and everything works fine. Signed-off-by: Amit Gupta Signed-off-by: Marcel de Rooy Signed-off-by: Mason James --- .../prog/en/modules/admin/authorised_values.tt | 18 +++++++++--------- .../prog/en/modules/admin/categories.tt | 4 ++-- .../prog/en/modules/admin/patron-attr-types.tt | 10 +++++----- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt index 2aa3b5ffd6..ec170a3645 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt @@ -110,9 +110,9 @@ $(document).ready(function() { [% FOREACH branch IN branches_loop %] [% IF ( branch.selected ) %] - + [% ELSE %] - + [% END %] [% END %] @@ -164,7 +164,7 @@ $(document).ready(function() { [% IF op == 'list' %] @@ -199,9 +199,9 @@ $(document).ready(function() { @@ -242,7 +242,7 @@ $(document).ready(function() { [% IF ( category == 'NOT_LOAN' ) %]

Statuses to describe why an item is not for loan

[% END %] -

Authorized values for category [% category %]:

+

Authorized values for category [% category |html %]:

[% IF ( loop ) %]
[% END %] @@ -264,8 +264,8 @@ $(document).ready(function() { [% END %] [% loo.authorised_value %] - [% loo.lib %] - [% loo.lib_opac %] + [% loo.lib |html %] + [% loo.lib_opac |html %] [% IF ( loo.imageurl ) %][% ELSE %] [% END %] [% IF loo.branches.size > 0 %] @@ -288,7 +288,7 @@ $(document).ready(function() { [% END %] [% ELSE %] -
There are no authorized values defined for [% category %]
+
There are no authorized values defined for [% category |html %]
[% END %] [% IF ( isprevpage ) %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt index bd529e6c90..eea3d30be1 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt @@ -160,9 +160,9 @@ [% FOREACH branch IN branches_loop %] [% IF branch.selected %] - + [% ELSE %] - + [% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt index 72562c4c34..9e597718ab 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt @@ -163,9 +163,9 @@ $(document).ready(function() { [% FOREACH branch IN branches_loop %] [% IF ( branch.selected ) %] - + [% ELSE %] - + [% END %] [% END %] @@ -177,7 +177,7 @@ $(document).ready(function() { Choose one to limit this attribute to one patron type. Please leave blank if you want these attributes to be available for all types of patrons. @@ -189,11 +189,11 @@ $(document).ready(function() { [% FOREACH class IN classes_val_loop %] [% IF class.authorised_value == category_class %] [% ELSE %] [% END %] [% END %] -- 2.39.5