git.koha-community.org Git - koha.git/commit

Bug 19114 - Stored XSS in parcels.pl

Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped

Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit a4ee6ce526cf0b7897badf427c18ae6bfbefe0c5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

author	Amit Gupta <amit.gupta@informaticsglobal.com>
	Tue, 15 Aug 2017 15:28:34 +0000 (20:58 +0530)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Wed, 23 Aug 2017 15:00:41 +0000 (17:00 +0200)
commit	2fabe5ee8f719140065b429f6a13f4633c3145a8
tree	a6efe69366df41dd93c6a283e8eb0841dec0ecd7	tree \| snapshot
parent	6bdc17da42b62d351593540577a06a6827be94ff	commit \| diff

koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcels.tt		diff \| blob \| history