From 8ae521da59d5376607c8a7d763a15177fa257444 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 11 Aug 2017 19:54:34 +0000 Subject: [PATCH] Bug 19086 Stored XSS in circulation.pl 1/ To test add a message to a borrower that contains js 2/ hit /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] where number is the borrowernumber of the borrower you set the message for 3/ Notice js is execute 4/ Apply patch, reload, js is escaped Signed-off-by: Amit Gupta Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 80c93d3499b11f3574fbafe756f94c534b746d5a) Signed-off-by: Fridolin Somers (cherry picked from commit 0a53a9e7f35855405024d03bde01d49f560f99ee) Signed-off-by: Katrin Fischer --- koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt index e887a508c5..5aa31d588c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt @@ -865,7 +865,7 @@ No patron matched [% message | html %] [% IF message.manager_id %] ( [% message.get_column('manager_firstname') %] [% message.get_column('manager_surname') %] ) [% END %] - "[% message.message %]" + "[% message.message | html %]" [% IF message.branchcode == branch OR Koha.Preference('AllowAllMessageDeletion') %] [ Delete] -- 2.39.5