From ec86950780e908f5b2a5d53e21cffede6d570b08 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 02:44:11 +0530 Subject: [PATCH] Bug 19086: Fix Stored XSS in subscription-add.pl To Test 1. Hit the page /cgi-bin/koha/serials/subscription-add.pl 2. Add a text in the field Public note and Nonpublic note that contains js (Internalnotes, notes) 2. Save the page. 3. Notice js is execute 4. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../prog/en/modules/serials/subscription-detail.tt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt index 8c95459d8a..a943120b91 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt @@ -339,8 +339,8 @@ $(document).ready(function() {
  • History end date: [% histenddate %]
  • Received issues:[% recievedlist %]
  • Missing issues:[% missinglist %]
  • -
  • Nonpublic note:[% internalnotes FILTER html_line_break %]
  • -
  • Public note:[% notes FILTER html_line_break %]
  • +
  • Nonpublic note:[% internalnotes FILTER html_line_break |html %]
  • +
  • Public note:[% notes FILTER html_line_break |html %]
  • History staff note:[% librariannote FILTER html_line_break %]
  • History OPAC note:[% opacnote FILTER html_line_break %]
  • -- 2.39.5