From 64abaa063d578567c18ee84a8e6abc424fa0da97 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 13:55:45 +0530 Subject: [PATCH] Bug 19108 - Stored XSS in classsources.pl Fixed for both Classification sources & Classification filing rules To Test 1. first case classification source: Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_source second case classification filing rules: Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_sort_rule 2. Add a text in the field Description that contains js 3. Save the page. 4. Notice js is execute 5. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 940c8634914b50940cfaf73af3611e6282d5803f) Signed-off-by: Fridolin Somers --- koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt index be817dc4b1..314b51e841 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt @@ -213,7 +213,7 @@ [% FOREACH class_source IN class_sources %] [% class_source.code %] - [% class_source.description %] + [% class_source.description |html %] [% IF ( class_source.used ) %]Yes[% ELSE %]No[% END %] [% class_source.sortrule %] @@ -247,7 +247,7 @@ [% FOREACH class_sort_rule IN class_sort_rules %] [% class_sort_rule.rule %] - [% class_sort_rule.description %] + [% class_sort_rule.description |html %] [% class_sort_rule.sort_routine %] Edit -- 2.39.5