git.koha-community.org Git - koha.git/commit

author	Josef Moravec <josef.moravec@gmail.com>
	Sun, 3 Dec 2017 22:21:57 +0000 (22:21 +0000)
committer	Chris Cormack <chrisc@catalyst.net.nz>
	Thu, 22 Feb 2018 18:52:10 +0000 (07:52 +1300)
commit	9ae84a513072b742013c391f2e3622c7c3e627f9
tree	c5d277b6efc8aca57763251cc808753314c147a1	tree \| snapshot
parent	04ced01839f6792fdab1bca5a6327e524ca863ea	commit \| diff

Bug 19738: Fix XSS on vendor name in serials module

Test plan:

1) do not apply this patch
2) Have at least one vendor which name does contain javascript, for
example: <i>Vendor 1</i><script>alert('Hi');</script>
3) go to serial module and create new subscription
4) use "Search for vendor"
5) Search for your vendor, when search results table is presented, the
javascript is executed
6) go through subscription creation and save the new subscription
7) On subscription detail page, the javascript is executed as well
8) apply this patch
9) Repeat 3-7, the script is not executed, the input is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 8a20bfe5ea8930bc331ad3c6f5f268ee13f8d8a0)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

koha-tmpl/intranet-tmpl/prog/en/modules/serials/acqui-search-result.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt		diff \| blob \| history