]> git.koha-community.org Git - koha.git/commit
Bug 14416: Stored XSS vulnerability
authorChris Cormack <chrisc@catalyst.net.nz>
Thu, 18 Jun 2015 23:26:02 +0000 (11:26 +1200)
committerFridolin Somers <fridolin.somers@biblibre.com>
Tue, 23 Jun 2015 09:24:34 +0000 (11:24 +0200)
commit1eb576ec759da21cc5abe8217ae98303101afd6a
tree305e7c1d59a17056b0c8a8da6cc67ee4820dd16a
parent314f4696e2612b051968dcb42cf9cc613ad0361c
Bug 14416: Stored XSS vulnerability

opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.

To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit fb51a4bb0f3ac8b42b53579fe3d6d73d0b3438cd)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 20910660a27f61307153afa05c13d67b1b5e91af)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt