From b09750ca2b1446bdeaf78a5989b4325e41789362 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 13:55:45 +0530 Subject: [PATCH] Bug 19108: Fix Stored XSS in classsources.pl Fixed for both Classification sources & Classification filing rules To Test 1. first case classification source: Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_source second case classification filing rules: Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_sort_rule 2. Add a text in the field Description that contains js 3. Save the page. 4. Notice js is execute 5. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt index be817dc4b1..314b51e841 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/classsources.tt @@ -213,7 +213,7 @@ [% FOREACH class_source IN class_sources %] [% class_source.code %] - [% class_source.description %] + [% class_source.description |html %] [% IF ( class_source.used ) %]Yes[% ELSE %]No[% END %] [% class_source.sortrule %] @@ -247,7 +247,7 @@ [% FOREACH class_sort_rule IN class_sort_rules %] [% class_sort_rule.rule %] - [% class_sort_rule.description %] + [% class_sort_rule.description |html %] [% class_sort_rule.sort_routine %] Edit -- 2.39.5