Bug 14416: Stored XSS vulnerability
opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.
To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit
fb51a4bb0f3ac8b42b53579fe3d6d73d0b3438cd)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
projects / koha.git / commit