From b4608887f664ed73d6813375f503b2bebd542adb Mon Sep 17 00:00:00 2001 From: Katrin Fischer Date: Wed, 16 Aug 2017 14:34:17 +0200 Subject: [PATCH] Bug 19128: Fix Stored XSS in patron-attr-types.pl, authorised_values.pl and categories.pl Preparation: - Add a branch with script in the branch name - Add a patron category with script in the category name - Add a new authorised value cateogory with script - Add a new authroised value for this category with script in all possible fields - Test editing patron categories - Test editing patron attribute types - Test viewing and editing authorised values Verify that with this script there is no more script executed and everything works fine. Signed-off-by: Amit Gupta Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../prog/en/modules/admin/authorised_values.tt | 18 +++++++++--------- .../prog/en/modules/admin/categories.tt | 4 ++-- .../prog/en/modules/admin/patron-attr-types.tt | 10 +++++----- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt index 5aee840622..83983bfaf1 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt @@ -109,9 +109,9 @@ $(document).ready(function() { [% FOREACH branch IN branches_loop %] [% IF ( branch.selected ) %] - + [% ELSE %] - + [% END %] [% END %] @@ -164,7 +164,7 @@ $(document).ready(function() { [% IF op == 'list' %] @@ -207,9 +207,9 @@ $(document).ready(function() { @@ -250,7 +250,7 @@ $(document).ready(function() { [% IF ( category == 'NOT_LOAN' ) %]

Statuses to describe why an item is not for loan

[% END %] -

Authorized values for category [% category %]:

+

Authorized values for category [% category |html %]:

[% IF ( loop ) %]
[% END %] @@ -272,8 +272,8 @@ $(document).ready(function() { [% END %] [% loo.authorised_value %] - [% loo.lib %] - [% loo.lib_opac %] + [% loo.lib |html %] + [% loo.lib_opac |html %] [% IF ( loo.imageurl ) %][% ELSE %] [% END %] [% IF loo.branches.size > 0 %] @@ -296,7 +296,7 @@ $(document).ready(function() { [% END %] [% ELSE %] -
There are no authorized values defined for [% category %]
+
There are no authorized values defined for [% category |html %]
[% END %] [% IF ( isprevpage ) %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt index 4bdb146a54..9d8d65b39c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt @@ -160,9 +160,9 @@ [% FOREACH branch IN branches_loop %] [% IF branch.selected %] - + [% ELSE %] - + [% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt index b0c49bf0ac..8bdba693fd 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt @@ -170,9 +170,9 @@ $(document).ready(function() { [% FOREACH branch IN branches_loop %] [% IF ( branch.selected ) %] - + [% ELSE %] - + [% END %] [% END %] @@ -184,7 +184,7 @@ $(document).ready(function() { Choose one to limit this attribute to one patron type. Please leave blank if you want these attributes to be available for all types of patrons. @@ -196,11 +196,11 @@ $(document).ready(function() { [% FOREACH class IN classes_val_loop %] [% IF class.authorised_value == category_class %] [% ELSE %] [% END %] [% END %] -- 2.39.5