From 3a1f035038636c57a78350effccbaa903e6b835f Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 13:55:45 +0530 Subject: [PATCH] Bug 19108 - Stored XSS in classsources.pl Fixed for both Classification sources & Classification filing rules To Test 1. first case classification source: Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_source second case classification filing rules: Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_sort_rule 2. Add a text in the field Description that contains js 3. Save the page. 4. Notice js is execute 5. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Mason James --- koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt index 2785ebbd5a..704d96c679 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt @@ -210,7 +210,7 @@ [% FOREACH class_source IN class_sources %] [% class_source.code %] - [% class_source.description %] + [% class_source.description |html %] [% IF ( class_source.used ) %]Yes[% ELSE %]No[% END %] [% class_source.sortrule %] @@ -241,7 +241,7 @@ [% FOREACH class_sort_rule IN class_sort_rules %] [% class_sort_rule.rule %] - [% class_sort_rule.description %] + [% class_sort_rule.description |html %] [% class_sort_rule.sort_routine %] Edit -- 2.39.5