]> git.koha-community.org Git - koha.git/commit
projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 01038a0) | patch
Bug 14418 : More XSS vulnerabilities in opac-shelves.pl
authorChris Cormack <chrisc@catalyst.net.nz>
Thu, 18 Jun 2015 23:41:45 +0000 (11:41 +1200)
committerMason James <mtj@kohaaloha.com>
Sun, 21 Jun 2015 17:38:43 +0000 (05:38 +1200)
commit2301be80b1be5213bcd265d221f0303f43b1e5ff
tree7b40bf0aceace0bc81c49e3d72e3914f29389a73tree | snapshot
parent01038a03d49b42beefe480906ab1b7c9547f3f51commit | diff
Bug 14418 : More XSS vulnerabilities in opac-shelves.pl

To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script>  Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it.
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt diff | blob | history
Main Koha release repository