git.koha-community.org Git - koha.git/commit

author	Artur <artur.norrby@gmail.com>
	Sat, 7 Sep 2024 16:12:05 +0000 (18:12 +0200)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Tue, 5 Nov 2024 14:39:54 +0000 (15:39 +0100)
commit	baf03581efb171f0c87e8671442d0b3c8e077026
tree	ce97f5e3659904e1218c7a6e522a0d4cd3410fd6	tree \| snapshot
parent	ad854158c73aebb384453311b8d407afc01e4f82	commit \| diff

Bug 37861: Fix XSS vulnerability in barcode append function

When user inputs were appended directly to the barcode table, the values were not properly escaped, allowing potential XSS attacks. This patch ensures that user inputs are sanitized and safely added to the DOM using .text() and .attr() methods to prevent script injection.

To test:
Enable the "SelfCheckInModule".
Open the barcode input form.
Enter a barcode with HTML or script tags.
Without the patch, observe that the script is executed.
Apply the patch.
Repeat step 2.
Verify that the input is escaped and no script execution occurs.
Check that the barcode is properly appended to the table.

Documentation:
No updates required.

Sponsored-by:
KillerRabbitAos

Signed-off-by: Bo Gustavsson <bosse@gustavsson.one>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
(cherry picked from commit f1a02fdfe127ebebc0a53596f30c24c7e3c9e285)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>