From fb90eee74c483eb188b8c682a1259ba964f9c2b8 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 10:15:54 +0530 Subject: [PATCH] Bug 19103 - Stored XSS in matching-rules.pl To Test 1. Hit the page /cgi-bin/koha/admin/matching-rules.pl 2. Click on new record matching rule 3. Add a text in the field Description that contain js. 4. Save the page. 5. Notice js is execute 6. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 9222cd77d282affffba43a40a9ff2f768647501e) Signed-off-by: Fridolin Somers --- koha-tmpl/intranet-tmpl/prog/en/modules/admin/matching-rules.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/matching-rules.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/matching-rules.tt index e75398caa9..6c15b2b328 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/matching-rules.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/matching-rules.tt @@ -602,7 +602,7 @@ function CheckRuleForm(f) { [% available_matching_rule.matcher_id %] [% available_matching_rule.code %] - [% available_matching_rule.description %] + [% available_matching_rule.description |html %] Edit Delete -- 2.39.5