From 20910660a27f61307153afa05c13d67b1b5e91af Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 19 Jun 2015 11:26:02 +1200 Subject: [PATCH] Bug 14416: Stored XSS vulnerability opac-addbybiblionumber.pl is also vulnerable because it doesn't escape list names. To test 1/ Create a malicious list name 2/ Try to add a biblio to the lists 3/ Notice js is excuted 4/ Apply patch 5/ Test again Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi (cherry picked from commit fb51a4bb0f3ac8b42b53579fe3d6d73d0b3438cd) Signed-off-by: Chris Cormack --- .../opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt index cb9bcb6f92..81edb61441 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt @@ -30,12 +30,12 @@ -- 2.39.5