From 01038a03d49b42beefe480906ab1b7c9547f3f51 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 19 Jun 2015 11:30:22 +1200 Subject: [PATCH] Bug 14418 : XSS flaw in opac-shelves.pl To test: 1/ Create a list and add at least one item to it 2/ Hit a url like http://192.168.2.18/cgi-bin/koha/opac-shelves.pl?viewshelf=7&sort=author&direction=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E Where the shelf id is the number of the list you created, notice the js is executed 3/ Apply the patch 4/ Reload the page notice the js is now escaped Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer --- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt index 03d18ba273..6bdf174542 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt @@ -162,7 +162,7 @@ Send list [% END %] - Print list + Print list [% IF ( manageshelf ) %] | -- 2.39.5