From 6d22674da5062cc61b6bd8667f8fb5775f71b05a Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 02:33:59 +0530 Subject: [PATCH] Bug 19086: Fix Stored XSS in supplier.pl 1. Hit the page /cgi-bin/koha/acqui/supplier.pl?op=enter 2. Add a text in the field company_postal, physical, company_fax, accountnumber, contactposition, contact_fax, contact_notes, notes that contains java script 3. Save the page. 4. Notice js is execute 5. Apply patch and reload the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../prog/en/modules/acqui/supplier.tt | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt index 12e9e0de28..a40e71586d 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt @@ -58,15 +58,15 @@ [% BLOCK show_contact %]

[% contact.name %]

-

Position: [% contact.position %]

-

Phone: [% contact.phone %]

-

Alternative phone: [% contact.altphone %]

-

Fax: [% contact.fax %]

+

Position: [% contact.position |html %]

+

Phone: [% contact.phone |html %]

+

Alternative phone: [% contact.altphone |html %]

+

Fax: [% contact.fax |html %]

[% IF ( contact.email ) %]

Email: [% contact.email %]

[% END %] [% IF ( contact.notes ) %] -

Notes: [% contact.notes %]

+

Notes: [% contact.notes |html %]

[% END %] [% IF ( contact.acqprimary ) %]

Primary acquisitions contact

@@ -323,15 +323,15 @@ function delete_contact(ev) {

Vendor details

Company name: [% name %]

-

Postal address: [% postal %]

-

Physical address: [% address1 %][% address2 %][% address3 %][% address4 %]

-

Phone: [% phone %]

-

Fax: [% fax %]

+

Postal address: [% postal |html %]

+

Physical address: [% address1 |html %][% address2 |html %][% address3 |html %][% address4 |html %]

+

Phone: [% phone |html %]

+

Fax: [% fax |html %]

[% IF ( url ) %]

Website: [% url %]

[% END %] [% IF ( accountnumber ) %] -

Account number: [% accountnumber %]

+

Account number: [% accountnumber |html %]

[% END %]
@@ -359,7 +359,7 @@ function delete_contact(ev) { [% deliverytime %] days

[% END %] [% IF ( notes ) %]

Notes: - [% notes %]

[% END %] + [% notes |html %]

[% END %]
-- 2.39.5