From 193ac375aa5e9f30b4a3421cdca54856ebce3ea8 Mon Sep 17 00:00:00 2001 From: Julian Maurice Date: Thu, 1 Feb 2024 09:15:23 +0100 Subject: [PATCH] Bug 35960: Use .val() instead of string concat to prevent potential XSS MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Test plan: 1. Log out 2. Go to /cgi-bin/koha/mainpage.pl#somestring"withchar 3. Open the brower's inspector and find "auth_forwarded_hash" input 4. Make sure the value attribute is there and corresponds to the URL's fragment. It should be URI-encoded. Signed-off-by: Owen Leonard Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Katrin Fischer (cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086) Signed-off-by: Fridolin Somers (cherry picked from commit 5409e17fb5abe0130f3cb2cd6c3d2a7707a5b251) Signed-off-by: Frédéric Demians --- koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt index e87cb438c4..9ef3ebe7e0 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt @@ -219,7 +219,9 @@