From 4ee823f8687605ee54011e09c5a802da6f928ec0 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 10:07:45 +0530 Subject: [PATCH] Bug 19103 - Stored XSS in patron-attr-types.pl To Test 1. Hit the page /cgi-bin/koha/admin/patron-attr-types.pl 2. Click on new patron attribute type 2. Add a text in the field Description that contain js. 2. Save the page. 3. Notice js is execute 4. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit cb0c3da4b6cec991194ce91e6412cf9d50562044) Signed-off-by: Fridolin Somers (cherry picked from commit 6fc53fb6df1e638f5cea70254612f7e60ff4de2f) Signed-off-by: Katrin Fischer --- .../intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt index ec6b0afbf2..28af1921ff 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt @@ -256,7 +256,7 @@ $(document).ready(function() { [% FOREACH item IN attribute.items %] [% item.code |html %] - [% item.description %] + [% item.description |html %] [% IF ( item.branches && item.branches.size > 0 ) %] [% branches_str = "" %] -- 2.39.5