]> git.koha-community.org Git - koha.git/commit
projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 89fcf9d) | patch
Bug 11307: Fix potential XSS attack in public catalog RSS feed
authorChris Cormack <chris@bigballofwax.co.nz>
Tue, 26 Nov 2013 16:37:07 +0000 (05:37 +1300)
committerTomas Cohen Arazi <tomascohen@gmail.com>
Mon, 16 Dec 2013 12:42:22 +0000 (09:42 -0300)
commitbfe7ead7c815aec3133bafae59253e9924e78fe0
tree1fd3e18c3ca5bb0b5fcbb619df36b7e7209e420ctree | snapshot
parent89fcf9d31d880f2f5d9610f0e4fd86fa7dd05f0ecommit | diff
Bug 11307: Fix potential XSS attack in public catalog RSS feed

To test:
1/ Craft a url like
/cgi-bin/koha/opac-search.pl?q=a&count=50"'<h1>test</h1>&sort_by=acqdate_dsc&format=rss2
2/ look at the source, notice
<opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage>
3/ apply the patch, and reload url
4/ source now contains
 <opensearch:itemsPerPage>50&quot;'&lt;h1&gt;test&lt;/h1&gt;</opensearch:itemsPerPage>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
(cherry picked from commit 682e706a4ac10b416b51bdb1ea8894dbe21b345e)
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt diff | blob | history
Main Koha release repository