From d1aa11c51c0b7312ea08327b57b4adb04f3c7c48 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 13:33:57 +0530 Subject: [PATCH] Bug 19108: Fix Stored XSS in oai_sets.pl To Test 1. Hit the page /cgi-bin/koha/admin/oai_sets.pl 2. Click on New set 3. Add a text in the field setSpec, setName that contains js 4. Save the page. 5. Notice js is execute 6. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../prog/en/modules/admin/oai_set_mappings.tt | 2 +- .../intranet-tmpl/prog/en/modules/admin/oai_sets.tt | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/oai_set_mappings.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/oai_set_mappings.tt index f3f35b7706..338a53f74f 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/oai_set_mappings.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/oai_set_mappings.tt @@ -56,7 +56,7 @@ function hideDialogBox() {

Return to sets management

[% END %] -

Mappings for set '[% setName %]' ([% setSpec %])

+

Mappings for set '[% setName |html %]' ([% setSpec |html %])

[% UNLESS ( mappings ) %]

Warning: No mappings have been defined for this set

[% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/oai_sets.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/oai_sets.tt index 0576739a39..3475442070 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/oai_sets.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/oai_sets.tt @@ -45,7 +45,7 @@ $(document).ready(function() { [% INCLUDE 'header.inc' %] [% INCLUDE 'prefs-admin-search.inc' %] - +
@@ -58,7 +58,7 @@ $(document).ready(function() {

Add a new OAI set

[% ELSIF ( op_mod ) %] -

Edit OAI set '[% spec %]'

+

Edit OAI set '[% spec |html %]'

[% END %] @@ -109,13 +109,13 @@ $(document).ready(function() { [% FOREACH set IN sets_loop %] - [% set.spec %] - [% set.name %] + [% set.spec |html %] + [% set.name |html %] [% IF set.descriptions %]
    [% FOREACH desc IN set.descriptions %] -
  • [% desc.description %]
  • +
  • [% desc.description |html %]
  • [% END %]
[% ELSE %] -- 2.39.5