From d96b9c1ca2594f98c577bbdf7079dbb0f9581853 Mon Sep 17 00:00:00 2001 From: Chris Date: Sun, 21 Jun 2015 08:46:40 +0000 Subject: [PATCH] Bug 14423: XSS issues in marc_subfields_structure 1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E 2/ Notice all the alert boxes 3/ Apply patch 4/ Reload page, no more alerts 5/ Test functionality still works Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 91a8584aa845fb1695a46fe3b89197f7d1365d94) Signed-off-by: Chris Cormack --- .../modules/admin/marc_subfields_structure.tt | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marc_subfields_structure.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marc_subfields_structure.tt index bfa88158fe..c0a2863cb6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marc_subfields_structure.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marc_subfields_structure.tt @@ -167,19 +167,19 @@ function populateHiddenCheckboxes(tab) { [% INCLUDE 'cat-search.inc' %]
@@ -191,14 +191,14 @@ function populateHiddenCheckboxes(tab) { [% IF ( add_form ) %]

[% IF ( use_heading_flags_p ) %] - [% IF ( heading_edit_subfields_p ) %]Tag [% tagfield %] Subfield constraints[% END %] + [% IF ( heading_edit_subfields_p ) %]Tag [% tagfield | html %] Subfield constraints[% END %] [% ELSE %] [% action %] [% END %]

- +
    @@ -339,7 +339,7 @@ function populateHiddenCheckboxes(tab) { [% END %]
- Cancel + Cancel
[% END %] @@ -352,7 +352,7 @@ function populateHiddenCheckboxes(tab) {
- + @@ -360,7 +360,7 @@ function populateHiddenCheckboxes(tab) { - + @@ -371,14 +371,14 @@ function populateHiddenCheckboxes(tab) {

Data deleted

- +
[% END %] [% IF ( else ) %] -

MARC subfield structure admin for [% tagfield %] [% IF ( frameworkcode ) %](framework [% frameworkcode %])[% ELSE %](default framework)[% END %]

+

MARC subfield structure admin for [% tagfield | html %] [% IF ( frameworkcode ) %](framework [% frameworkcode %])[% ELSE %](default framework)[% END %]

This screen shows the subfields associated with the selected tag. You can edit subfields or add a new one by clicking on edit.

The column Koha field shows that the subfield is linked with a Koha field. Koha can manage a MARC interface, or a Koha interface. This link ensures that both DB are synchronized, thus you can change from a MARC to a Koha interface easily.

@@ -428,7 +428,7 @@ function populateHiddenCheckboxes(tab) { - Cancel + Cancel -- 2.39.5