From 5e5cd8025301bb6efc2031f9e6f8a48a768a0dc8 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 22:58:02 +0530 Subject: [PATCH] Bug 16069 - XSS issue in basket.pl page 1. Hit /cgi-bin/koha/acqui/basket.pl?basketno=xx xx - is a basketno 2. Notice the java script is executed. 3. Apply patch. 4. Reload page, and hit the page again /cgi-bin/koha/acqui/basket.pl?basketno==xx xx - is a basketno. 5. Notice it is no longer executed. Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 91711087e93e5da6265bac329791e45afb7d354f) Signed-off-by: Fridolin Somers --- .../intranet-tmpl/prog/en/modules/acqui/basket.tt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt index cc98f2385c..75603e1f42 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt @@ -4,7 +4,7 @@ [% USE AuthorisedValues %] [% INCLUDE 'doc-head-open.inc' %] -Koha › Acquisitions › [% UNLESS ( basketno ) %]New [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %] +Koha › Acquisitions › [% UNLESS ( basketno ) %]New [% END %]Basket [% basketname|html %] ([% basketno |html %]) for [% name|html %] [% INCLUDE 'doc-head-close.inc' %] [% INCLUDE 'datatables.inc' %] @@ -68,7 +68,7 @@ function confirm_ediorder() { var is_confirmed = confirm(_("Are you sure you want to close this basket and generate an EDIFACT order?")); if (is_confirmed) { - window.location = "/cgi-bin/koha/acqui/basket.pl?op=edi_confirm&basketno=[% basketno %]"; + window.location = "/cgi-bin/koha/acqui/basket.pl?op=edi_confirm&basketno=[% basketno |html %]"; } } @@ -93,7 +93,7 @@ var skip = [% IF ( skip_confirm_reopen ) %] 1 [% ELSE %] 0 [% END %]; var is_confirmed = skip || confirm(_("Are you sure you want to reopen this basket?")); if (is_confirmed) { - window.location = "/cgi-bin/koha/acqui/basket.pl?op=reopen&basketno=[% basketno %]"; + window.location = "/cgi-bin/koha/acqui/basket.pl?op=reopen&basketno=[% basketno |html %]"; } } //]]> @@ -171,7 +171,7 @@ HomeAcquisitions[% name|html %] › - [% UNLESS ( basketno ) %][% IF ( delete_confirmed ) %]Deleted [% ELSE %]New [% END %][% END %]Basket [% basketname|html %] [% IF ( basketno ) %]([% basketno %])[% END %] for [% name|html %] + [% UNLESS ( basketno ) %][% IF ( delete_confirmed ) %]Deleted [% ELSE %]New [% END %][% END %]Basket [% basketname|html %] [% IF ( basketno ) %]([% basketno |html %])[% END %] for [% name|html %]
@@ -328,7 +328,7 @@ [% END %]
[% END %] -

[% UNLESS ( basketno ) %]New [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]

+

[% UNLESS ( basketno ) %]New [% END %]Basket [% basketname|html %] ([% basketno |html %]) for [% name|html %]

[% IF ( basketno ) %]
-- 2.39.5