git.koha-community.org Git - koha.git/commit

author	Liz <wizzyrea@gmail.com>
	Mon, 5 Jan 2015 02:32:32 +0000 (02:32 +0000)
committer	Mason James <mtj@kohaaloha.com>
	Fri, 23 Jan 2015 06:33:35 +0000 (19:33 +1300)
commit	0718ced5e452a3d295597d1b5ef976a6772610eb
tree	e27bb9fff6905b3d115dcde1357964ec751f8af4	tree \| snapshot
parent	20dd347c4866226e29c4bbeeebf66a33f347302a	commit \| diff

Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves

A specially crafted url causes XSS in Koha

To test:

cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E

cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves

These should cause a popup without the patch. With the patch, no popup.

You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
have permission to view them.

Signed-off-by: Chris <chris@bigballofwax.co.nz>
Fixes the two listed problems

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed patch fixes the problem.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>

koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt		diff \| blob \| history
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt		diff \| blob \| history