From 5bdf4601df1de15387fe8a3c43e526e811a3c39f Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Wed, 10 Dec 2014 12:47:30 +1300 Subject: [PATCH] Bug 13425 - XSS in opac facets - Patch for master and 3.18 To Test 1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='">&limit=123 It is important it must return results and facets 2/ Notice the js is executed 3/ Apply the patch test again Signed-off-by: Mirko Tietgen Popup is gone after applying the patch. Facet link still shows it but does not execute. It's gone after clicking the link. Signed-off-by: Jonathan Druart Signed-off-by: Tomas Cohen Arazi --- koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc index 7044bfd031..e1b69a5abb 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc +++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc @@ -42,10 +42,10 @@ [% IF facet.active %] [% SET url = url _ "&nolimit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %] [% facet.facet_label_value %] - [x] + [x] [% ELSE %] [% SET url = url _ "&limit=" _ facet.type_link_value _ ":" _ facet.facet_link_value %] - [% facet.facet_label_value %] + [% facet.facet_label_value %] [% IF ( displayFacetCount ) %] ([% facet.facet_count %]) [% END %] -- 2.39.5