From 0fba9c17c9154379430119646c3571f09d986948 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 12 Aug 2016 10:42:28 +0100 Subject: [PATCH] Bug 17114: Fix XSS in picture-upload.pl MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit To reproduce: 1/ cp your_image.jpg 'test.jpg' 2/ Use the upload picture tool to upload this file => Without this patch, the alert is show => With this patch, the filename is correctly displayed and no alert Note that the cardnumber var was not escaped neither, it's now. Signed-off-by: Colin Campbell Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit da03dbd458c59da0b9213efacd3425e89b453332) Signed-off-by: Frédéric Demians --- .../intranet-tmpl/prog/en/modules/tools/picture-upload.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt index 3b1305f5e7..28fce72aad 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt @@ -67,8 +67,8 @@ [% IF ( COUNT.TCOUNTS ) %]
  • [% COUNT.TCOUNTS %] image(s) moved into the database:
  • [% END %] [% FOREACH filename IN COUNT.filenames %] - [% filename.source %] - [% filename.cardnumber %] + [% filename.source | html %] + [% filename.cardnumber | html %] [% IF ( filename.filerrors ) %] [% FOREACH filerror IN filename.filerrors %] -- 2.39.5