From 011030fc4cf3447db2b4fef85344cedc429fa1ae Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Mon, 7 Aug 2017 21:08:36 +0530 Subject: [PATCH] Bug 19051 - XSS Flaws in - Batch record deletion page 1. Hit /cgi-bin/koha/tools/batch_delete_records.pl 2. Enter in the Record number list (one per line) text area. 3. Notice the iframe is executed. 4. Apply patch. 5. Reload page, and enter iframe again on Record number list (one per line) text area. 6. Notice it is no longer executed. 7. Fixes for both biblio and authority records. Signed-off-by: Chris Cormack Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 63fce3cdb10637a14efa5ac61e9fb21e4b04e364) Signed-off-by: Fridolin Somers --- .../prog/en/modules/tools/batch_delete_records.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt index 58249ee857..20777c8912 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt @@ -104,9 +104,9 @@ $(document).ready(function() {
[% END %] [% IF message.code == 'biblio_not_exists' %] - The biblionumber [% message.biblionumber %] does not exist in the database. + The biblionumber [% message.biblionumber |html %] does not exist in the database. [% ELSIF message.code == 'authority_not_exists' %] - The authority id [% message.authid %] does not exist in the database. + The authority id [% message.authid |html %] does not exist in the database. [% ELSIF message.code == 'item_issued' %] At least one item is checked out on bibliographic record [% message.biblionumber %]. [% ELSIF message.code == 'reserve_not_cancelled' %] -- 2.39.5