]> git.koha-community.org Git - koha.git/commit
projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ae550b8) | patch
Bug 13425 - XSS in opac facets - Patch for master and 3.18
authorChris Cormack <chrisc@catalyst.net.nz>
Tue, 9 Dec 2014 23:47:30 +0000 (12:47 +1300)
committerTomas Cohen Arazi <tomascohen@gmail.com>
Thu, 11 Dec 2014 15:10:32 +0000 (12:10 -0300)
commit5bdf4601df1de15387fe8a3c43e526e811a3c39f
treedcb9b039dc879d2e19581e311e36c2e83447c485tree | snapshot
parentae550b8328d24cd104c2040ac4c569c0b8405194commit | diff
Bug 13425 - XSS in opac facets - Patch for master and 3.18

To Test
1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123

It is important it must return results and facets

2/ Notice the js is executed
3/ Apply the patch test again

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Popup is gone after applying the patch. Facet link still shows it but does not execute. It's gone after clicking the link.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc diff | blob | history
Main Koha release repository