]> git.koha-community.org Git - koha.git/commit
Bug 35960: Use .val() instead of string concat to prevent potential XSS
authorJulian Maurice <julian.maurice@biblibre.com>
Thu, 1 Feb 2024 08:15:23 +0000 (09:15 +0100)
committerWainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
Wed, 27 Mar 2024 05:30:13 +0000 (05:30 +0000)
commitdca99588e790093e18a67d1206dd732352538015
treefbfeed07f38601eb18edd3c93d89a6a4883810a9
parent931a02f54ac7b8e76c1bd290cae0ca59fdd1bf18
Bug 35960: Use .val() instead of string concat to prevent potential XSS

Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
   fragment. It should be URI-encoded.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt