From c0cc4229904e2c91fd583c1b905ce3a214990ccb Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 08:33:41 +0530 Subject: [PATCH] Bug 19035 - Stored XSS in lists.pl To Test 1. Hit the page /cgi-bin/koha/patron_lists/lists.pl 2. Click on new patron list 3. Add a text in the field Name that contains js 4. Save the page. 5. Notice js is execute 6. Apply patch and reload, the js is escaped Fixed in both the pages list.pl and list.pl?patron_list_id=xx xx is patronlist id Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 34dcc80055998c7b301de6e2bbcfa20067c8a63c) Signed-off-by: Fridolin Somers --- koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt | 4 ++-- koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt index 956cc28e7f..c06997ab72 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt @@ -69,13 +69,13 @@ $(document).ready(function() { [% INCLUDE 'header.inc' %] [% INCLUDE 'cat-search.inc' %] - +
-

[% list.name %]

+

[% list.name |html %]

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt index fb60e2ee72..df890d6447 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt @@ -87,7 +87,7 @@ [% FOREACH l IN lists %] - [% l.name %] + [% l.name |html %] [% l.patron_list_patrons_rs.count || 0 %]
-- 2.39.2