From f9e0b1d2acab67f5ada917ce0f46acb65cd201d2 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:34:18 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: authorities/authorities.tt Check that mandatory tags and subfields are correctly required when editing an authority record. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit d9ae296b23d6897070c6bb788387ab39e7da8f09) Signed-off-by: Victor Grousset/tuxayo --- .../intranet-tmpl/prog/en/modules/authorities/authorities.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt index 2b9b46f1b1..f9620513bb 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt @@ -78,7 +78,7 @@ function AreMandatoriesNotOk(){ [% FOREACH subfield_loo IN innerloo.subfield_loop %] [% IF ( subfield_loo.mandatory ) %]mandatories.push("[% subfield_loo.id | html %]"); tab.push("[% BIG_LOO.number | html %]"); - label.push("[% To.json(subfield_loo.marc_lib) | $raw %]"); + label.push("[% To.json(subfield_loo.marc_lib) | html %]"); [% END %] [% END %] [% END %] -- 2.39.5