From 2fabe5ee8f719140065b429f6a13f4633c3145a8 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 20:58:34 +0530 Subject: [PATCH] Bug 19114 - Stored XSS in parcels.pl Test 1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx xx is booksellerid 2. Add a text in the field Vendor invoice that contains java script 3. Save the page. 4. Notice js is execute 5. Apply patch and reload the js is escaped Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit a4ee6ce526cf0b7897badf427c18ae6bfbefe0c5) Signed-off-by: Fridolin Somers --- .../intranet-tmpl/prog/en/modules/acqui/orderreceive.tt | 4 ++-- koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt | 6 +++--- koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcels.tt | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt index b6e790cce1..b26343cda0 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt @@ -125,7 +125,7 @@ [% INCLUDE 'header.inc' %] [% INCLUDE 'acquisitions-search.inc' %] - +
@@ -133,7 +133,7 @@
-

Receive items from : [% name %] [% IF ( invoice ) %][[% invoice %]] [% END %] (order #[% ordernumber %])

+

Receive items from : [% name %] [% IF ( invoice ) %][[% invoice |html %]] [% END %] (order #[% ordernumber %])

[% IF ( count ) %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt index a894cf4eb4..1bb2c69eba 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt @@ -150,7 +150,7 @@ [% IF datereceived %] Receipt summary for [% name %] [% IF ( invoice ) %] - [ [% invoice %] ] + [ [% invoice |html %] ] [% END %] on [% datereceived | $KohaDates %] [% ELSE %] @@ -175,7 +175,7 @@ [% END %]

[% IF datereceived %] - Receipt summary for [% name %] [% IF ( invoice ) %] [ [% invoice %] ] [% END %] on [% datereceived | $KohaDates %] + Receipt summary for [% name %] [% IF ( invoice ) %] [ [% invoice |html %] ] [% END %] on [% datereceived | $KohaDates %] [% ELSE %] Receive orders from [% name %] [% END %] @@ -218,7 +218,7 @@ [% UNLESS no_orders_to_display %]
-

Invoice number: [% invoice %] Received by: [% loggedinusername %] On: [% datereceived | $KohaDates %]

+

Invoice number: [% invoice |html %] Received by: [% loggedinusername %] On: [% datereceived | $KohaDates %]

[% UNLESS (invoiceclosedate) %]