From 73a66ccaf47f8815bbe74326dbe24dba915456fb Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 23:22:32 +0530 Subject: [PATCH] Bug 19100 - XSS Flaws in memberentry.pl 1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx xx - is a guarantorid 2. Notice the java script is executed. 3. Apply patch. 4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx xx - is a guarantorid. 5. Notice it is no longer executed. NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me. Signed-off-by: Mark Tompsett Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../intranet-tmpl/prog/en/modules/members/memberentrygen.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt index 7f6f734322..af7583202b 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt @@ -413,7 +413,7 @@ $(document).ready(function() { [% ELSE %] [% UNLESS nocontactname %]
  • -- 2.39.5