From 69e34243683d1436dd8261b99dfce7b0df124ab6 Mon Sep 17 00:00:00 2001 From: Julian Maurice Date: Thu, 1 Feb 2024 09:15:23 +0100 Subject: [PATCH] Bug 35960: Use .val() instead of string concat to prevent potential XSS Test plan: 1. Log out 2. Go to /cgi-bin/koha/mainpage.pl#somestring"withchar 3. Open the brower's inspector and find "auth_forwarded_hash" input 4. Make sure the value attribute is there and corresponds to the URL's fragment. It should be URI-encoded. Signed-off-by: Owen Leonard Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Lucas Gass --- koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt index 0ae4cbefa2..a51a3f8399 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt @@ -221,7 +221,9 @@