From a2c6cd77d2b84caf4767826a89404dc1e90b473c Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 20:58:34 +0530 Subject: [PATCH] Bug 19114 - Stored XSS in parcels.pl Test 1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx xx is booksellerid 2. Add a text in the field Vendor invoice that contains java script 3. Save the page. 4. Notice js is execute 5. Apply patch and reload the js is escaped Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy --- .../intranet-tmpl/prog/en/modules/acqui/orderreceive.tt | 4 ++-- koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt | 6 +++--- koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcels.tt | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt index b6e790cce1..b26343cda0 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt @@ -125,7 +125,7 @@ [% INCLUDE 'header.inc' %] [% INCLUDE 'acquisitions-search.inc' %] - +
@@ -133,7 +133,7 @@
-

Receive items from : [% name %] [% IF ( invoice ) %][[% invoice %]] [% END %] (order #[% ordernumber %])

+

Receive items from : [% name %] [% IF ( invoice ) %][[% invoice |html %]] [% END %] (order #[% ordernumber %])

[% IF ( count ) %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt index ef646b3ede..41da4cfec7 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt @@ -150,7 +150,7 @@ [% IF datereceived %] Receipt summary for [% name %] [% IF ( invoice ) %] - [ [% invoice %] ] + [ [% invoice |html %] ] [% END %] on [% datereceived | $KohaDates %] [% ELSE %] @@ -175,7 +175,7 @@ [% END %]

[% IF datereceived %] - Receipt summary for [% name %] [% IF ( invoice ) %] [ [% invoice %] ] [% END %] on [% datereceived | $KohaDates %] + Receipt summary for [% name %] [% IF ( invoice ) %] [ [% invoice |html %] ] [% END %] on [% datereceived | $KohaDates %] [% ELSE %] Receive orders from [% name %] [% END %] @@ -218,7 +218,7 @@ [% UNLESS no_orders_to_display %]
-

Invoice number: [% invoice %] Received by: [% loggedinusername %] On: [% datereceived | $KohaDates %]

+

Invoice number: [% invoice |html %] Received by: [% loggedinusername %] On: [% datereceived | $KohaDates %]

[% UNLESS (invoiceclosedate) %]