From 9cb8fd0114e8072e7901c5e2ef7544393830dcc1 Mon Sep 17 00:00:00 2001 From: Julian Maurice Date: Thu, 1 Feb 2024 09:15:23 +0100 Subject: [PATCH] Bug 35960: Use .val() instead of string concat to prevent potential XSS Test plan: 1. Log out 2. Go to /cgi-bin/koha/mainpage.pl#somestring"withchar 3. Open the brower's inspector and find "auth_forwarded_hash" input 4. Make sure the value attribute is there and corresponds to the URL's fragment. It should be URI-encoded. Signed-off-by: Owen Leonard Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Katrin Fischer (cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086) Signed-off-by: Fridolin Somers --- koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt index 1980f4dce9..fe35c5cb64 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt @@ -250,7 +250,9 @@