git.koha-community.org Git - koha.git/commit

Bug 19114 - Stored XSS in parcels.pl

Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped

Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

author	Amit Gupta <amit.gupta@informaticsglobal.com>
	Tue, 15 Aug 2017 15:28:34 +0000 (20:58 +0530)
committer	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Tue, 29 Aug 2017 15:00:37 +0000 (12:00 -0300)
commit	8534ca278022e82f55b1907bac31afa7e86b9d5f
tree	436e0038ad799062dc2c210eebbbfac8aa0378c6	tree \| snapshot
parent	d31c635fe2cc6d0b715661d35a02723a48e42e2b	commit \| diff

koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcels.tt		diff \| blob \| history