From e576b89c461c87efc122816fca9f6c3ba08a1833 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Mon, 13 Nov 2017 09:27:44 +0530 Subject: [PATCH] Bug 19614: Fix XSS in members/pay.pl To Test 1. Hit the page /cgi-bin/koha/members/memberentry.pl 2. Add a text in the field firstname, surname that contains js 3. Save the page. 4. click on fine tab 5. Notice js is execute 6. Apply patch and reload, the js is escaped Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Jonathan Druart Signed-off-by: Nick Clemens --- koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt index ead4ce4cb9..f40bae7216 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt @@ -3,7 +3,7 @@ [% USE Branches %] [% USE Price %] [% INCLUDE 'doc-head-open.inc' %] -Koha › Patrons › Pay Fines for [% borrower.firstname %] [% borrower.surname %] +Koha › Patrons › Pay Fines for [% borrower.firstname |html %] [% borrower.surname |html %] [% INCLUDE 'doc-head-close.inc' %]