]> git.koha-community.org Git - koha.git/commit
projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e94a7e3) | patch
Bug 37654: XSS in Batch record import for Citation column
authorPhil Ringnalda <phil@chetcolibrary.org>
Fri, 16 Aug 2024 02:57:42 +0000 (19:57 -0700)
committerLucas Gass <lucas@bywatersolutions.com>
Mon, 30 Sep 2024 15:30:47 +0000 (15:30 +0000)
commit25672f82f090ac411c027da9ca044f7269f82814
tree26026f0c1508c2dd40fd90c918348ac98cadca8btree | snapshot
parente94a7e34f330082fd485309fc08250aaf3645633commit | diff
Bug 37654: XSS in Batch record import for Citation column

Viewing a staged MARC record batch loads a DataTable from
/tools/batch_records_ajax.pl, and both batch_records_ajax.pl and the
DataTable just trust the author/title/isbn/issn to be free of HTML. They
shouldn't.

Test plan:
1. Without this patch applied, download attachment 170418, then Cataloging
   - Stage records for import - Select the downloaded file - Upload file -
   Stage for import
2. When the background job completes, View batch - you'll get three alert()s
   from the title, author, and ISSN, and the author and ISSN displayed huge
3. Apply patch, restart_all
4. Manage staged records - click HTMLescapingimporttestrecord.mrc - get zero
   alerts and no <h2> display

Sponsored-by: Chetco Community Public Library
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
koha-tmpl/intranet-tmpl/prog/en/modules/tools/manage-marc-import.tt diff | blob | history
Main Koha release repository