git.koha-community.org Git - koha.git/commit

Bug 19035 - Stored XSS in lists.pl

To Test
1. Hit the page /cgi-bin/koha/patron_lists/lists.pl
2. Click on new patron list
3. Add a text in the field Name that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Fixed in both the pages list.pl and list.pl?patron_list_id=xx
xx is patronlist id

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 34dcc80055998c7b301de6e2bbcfa20067c8a63c)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

author	Amit Gupta <amit.gupta@informaticsglobal.com>
	Tue, 15 Aug 2017 03:03:41 +0000 (08:33 +0530)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Wed, 23 Aug 2017 15:00:50 +0000 (17:00 +0200)
commit	c0cc4229904e2c91fd583c1b905ce3a214990ccb
tree	b9043dc824c017b50d1572699c9564f8a2410c3f	tree \| snapshot
parent	2fabe5ee8f719140065b429f6a13f4633c3145a8	commit \| diff

koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt		diff \| blob \| history