git.koha-community.org Git - koha.git/commit

Bug 19035 - Stored XSS in lists.pl

To Test
1. Hit the page /cgi-bin/koha/patron_lists/lists.pl
2. Click on new patron list
3. Add a text in the field Name that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Fixed in both the pages list.pl and list.pl?patron_list_id=xx
xx is patronlist id

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

author	Amit Gupta <amit.gupta@informaticsglobal.com>
	Tue, 15 Aug 2017 03:03:41 +0000 (08:33 +0530)
committer	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Tue, 29 Aug 2017 15:00:37 +0000 (12:00 -0300)
commit	36ba8be88a9543942102580f2b1abe1e5e108c35
tree	7a2f7188824fdcb5d66c4d4d053d93172c63dd38	tree \| snapshot
parent	8534ca278022e82f55b1907bac31afa7e86b9d5f	commit \| diff

koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt		diff \| blob \| history