From c176b8ceefc8a4b964b8671c4d3198af053b59c8 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 11 Aug 2017 19:36:43 +0000 Subject: [PATCH] Bug 19086: Fix Stored XSS in members/member.pl To test 1/ hit /cgi-bin/koha/members/member.pl?&searchmember= 2/ Notice js is executed 3/ Apply patch, reload 4/ js is now escaped Signed-off-by: Amit Gupta Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt index f8f2471bd7..73598d8e7c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt @@ -115,7 +115,7 @@ var dtMemberResults; var search = 1; $(document).ready(function() { [% IF searchmember %] - $("#searchmember_filter").val("[% searchmember %]"); + $("#searchmember_filter").val("[% searchmember | html %]"); [% END %] [% IF searchfieldstype %] $("searchfieldstype_filter").val("[% searchfieldstype %]"); @@ -357,7 +357,7 @@ function filterByFirstLetterSurname(letter) {
-

Patrons found for: [% IF searchmember %] for '[% searchmember %]'[% END %]

+

Patrons found for: [% IF searchmember %] for '[% searchmember | html %]'[% END %]

[% IF CAN_user_tools_manage_patron_lists %]
-- 2.39.5