git.koha-community.org Git - koha.git/commit

author	Josef Moravec <josef.moravec@gmail.com>
	Sun, 3 Dec 2017 22:21:57 +0000 (22:21 +0000)
committer	Nick Clemens <nick@bywatersolutions.com>
	Fri, 26 Jan 2018 12:01:37 +0000 (07:01 -0500)
commit	0a372c2b1ebcc9ce6ce4310fc227b801fe04cc85
tree	011badbfc40ba775005d2d20fecd81147ea6a260	tree \| snapshot
parent	b9b75c03341d70ae9c3d84471c4a9ef3809d34a9	commit \| diff

Bug 19738: Fix XSS on vendor name in serials module

Test plan:

1) do not apply this patch
2) Have at least one vendor which name does contain javascript, for
example: <i>Vendor 1</i><script>alert('Hi');</script>
3) go to serial module and create new subscription
4) use "Search for vendor"
5) Search for your vendor, when search results table is presented, the
javascript is executed
6) go through subscription creation and save the new subscription
7) On subscription detail page, the javascript is executed as well
8) apply this patch
9) Repeat 3-7, the script is not executed, the input is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

koha-tmpl/intranet-tmpl/prog/en/modules/serials/acqui-search-result.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt		diff \| blob \| history