]> git.koha-community.org Git - koha.git/commit
Bug 14418: XSS flaw in opac-shelves.pl
authorChris Cormack <chrisc@catalyst.net.nz>
Thu, 18 Jun 2015 23:30:22 +0000 (11:30 +1200)
committerChris Cormack <chrisc@catalyst.net.nz>
Mon, 22 Jun 2015 21:44:01 +0000 (09:44 +1200)
commit04fe052de7337f7c348de69df3d0ec1184b80e8d
treed3fdef1d4e787fb366cac81e469d7310f8f40512
parent21cc992e7e5a35ccf1b7614cae638c9863e2a35f
Bug 14418: XSS flaw in opac-shelves.pl

To test:
1/ Create a list and add at least one item to it
2/ Hit a url like http://192.168.2.18/cgi-bin/koha/opac-shelves.pl?viewshelf=7&sort=author&direction=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
  Where the shelf id is the number of the list you created, notice the js is executed
3/ Apply the patch
4/ Reload the page notice the js is now escaped

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit b6ca2b0cd2d95e8aedbfd7c0c58ace8200620bf1)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt