]> git.koha-community.org Git - koha.git/commit
Bug 19738: Fix XSS on vendor name in serials module
authorJosef Moravec <josef.moravec@gmail.com>
Sun, 3 Dec 2017 22:21:57 +0000 (22:21 +0000)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Thu, 15 Feb 2018 19:04:40 +0000 (16:04 -0300)
commitb59988f78d0db6ae953949aca9dd60bd88601596
tree7ab846e2dbaf86ba54b177752c1896b83c93905d
parente4301a52b83ca24876ff58fd78bee863df5ce398
Bug 19738: Fix XSS on vendor name in serials module

Test plan:

1) do not apply this patch
2) Have at least one vendor which name does contain javascript, for
example: <i>Vendor 1</i><script>alert('Hi');</script>
3) go to serial module and create new subscription
4) use "Search for vendor"
5) Search for your vendor, when search results table is presented, the
javascript is executed
6) go through subscription creation and save the new subscription
7) On subscription detail page, the javascript is executed as well
8) apply this patch
9) Repeat 3-7, the script is not executed, the input is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
koha-tmpl/intranet-tmpl/prog/en/modules/serials/acqui-search-result.tt
koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt