From a2aaa3383e531839a06e71d90ce8fb9f753a8561 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 08:33:41 +0530 Subject: [PATCH] Bug 19035 - Stored XSS in lists.pl To Test 1. Hit the page /cgi-bin/koha/patron_lists/lists.pl 2. Click on new patron list 3. Add a text in the field Name that contains js 4. Save the page. 5. Notice js is execute 6. Apply patch and reload, the js is escaped Fixed in both the pages list.pl and list.pl?patron_list_id=xx xx is patronlist id Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy --- koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt | 4 ++-- koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt index 79cf84d7b5..6d9b6c5506 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt @@ -69,13 +69,13 @@ $(document).ready(function() { [% INCLUDE 'header.inc' %] [% INCLUDE 'cat-search.inc' %] - +
-

[% list.name %]

+

[% list.name |html %]

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt index a3d886658b..0489429cc9 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt @@ -87,7 +87,7 @@ [% FOREACH l IN lists %] - [% l.name %] + [% l.name |html %] [% l.patron_list_patrons_rs.count || 0 %]
-- 2.39.2