From b9ebf70d9583d761d8db9eaf503ebe9498bc01e0 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 19 Jun 2015 11:41:45 +1200 Subject: [PATCH] Bug 14418: More XSS vulnerabilities in opac-shelves.pl To test: 1/ Hit a url like /cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="> Where the id is a valid shelf id 2/ Notice the js is executed 3/ Apply patch 4/ Reload page 5/ Notice input is now escaped on display Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Tested in Debian, couldn't reproduce the alert in Iceweasel, but in Chromium. Patch fixes it. Signed-off-by: Tomas Cohen Arazi (cherry picked from commit cd4c959f7226b060f683f5571f030cc2df7539ca) (cherry picked from commit f9569612b65798dce457b5650a5b5162b80b12e8) Signed-off-by: Fridolin Somers --- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt index c422ac852b..f6cb445ee4 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt @@ -512,7 +512,7 @@ [% IF ( edit ) %]
- +
Editing [% shelfname |html %] -- 2.39.5