From eccce3e1ba3bbcb73d47defc49b322fe578e5014 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 14:10:43 +0530 Subject: [PATCH] Bug 19108 - Stored XSS in fieldmapping.pl To Test 1. Hit the page /cgi-bin/koha/admin/fieldmapping.pl 2. Add a text in the field Field name that contains js 3. Save the page. 4. Notice js is execute 5. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 77ddae74d661fb589d74bd85f5561fdd4131af70) Signed-off-by: Fridolin Somers --- koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt index d1827503e7..238555a1b5 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt @@ -69,7 +69,7 @@ $(document).ready(function() { [% FOREACH field IN fields %] - [% field.field %] + [% field.field |html %] [% field.fieldcode %] [% field.subfieldcode %] Delete -- 2.39.5