From fd44f2fed7415feb8605c94b7c533dcd48d27b15 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 22:58:02 +0530 Subject: [PATCH] Bug 16069 - XSS issue in basket.pl page 1. Hit /cgi-bin/koha/acqui/basket.pl?basketno=xx xx - is a basketno 2. Notice the java script is executed. 3. Apply patch. 4. Reload page, and hit the page again /cgi-bin/koha/acqui/basket.pl?basketno==xx xx - is a basketno. 5. Notice it is no longer executed. Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../intranet-tmpl/prog/en/modules/acqui/basket.tt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt index 94c312ca25..f1aa1157c4 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt @@ -18,7 +18,7 @@ [% USE AuthorisedValues %] [% INCLUDE 'doc-head-open.inc' %] -Koha › Acquisitions › [% UNLESS ( basketno ) %]New [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %] +Koha › Acquisitions › [% UNLESS ( basketno ) %]New [% END %]Basket [% basketname|html %] ([% basketno |html %]) for [% name|html %] [% INCLUDE 'doc-head-close.inc' %] [% INCLUDE 'datatables.inc' %] @@ -82,7 +82,7 @@ function confirm_ediorder() { var is_confirmed = confirm(_("Are you sure you want to close this basket and generate an EDIFACT order?")); if (is_confirmed) { - window.location = "/cgi-bin/koha/acqui/basket.pl?op=edi_confirm&basketno=[% basketno %]"; + window.location = "/cgi-bin/koha/acqui/basket.pl?op=edi_confirm&basketno=[% basketno |html %]"; } } @@ -107,7 +107,7 @@ var skip = [% IF ( skip_confirm_reopen ) %] 1 [% ELSE %] 0 [% END %]; var is_confirmed = skip || confirm(_("Are you sure you want to reopen this basket?")); if (is_confirmed) { - window.location = "/cgi-bin/koha/acqui/basket.pl?op=reopen&basketno=[% basketno %]"; + window.location = "/cgi-bin/koha/acqui/basket.pl?op=reopen&basketno=[% basketno |html %]"; } } //]]> @@ -197,7 +197,7 @@ HomeAcquisitions[% name|html %] › - [% UNLESS ( basketno ) %][% IF ( delete_confirmed ) %]Deleted [% ELSE %]New [% END %][% END %]Basket [% basketname|html %] [% IF ( basketno ) %]([% basketno %])[% END %] for [% name|html %] + [% UNLESS ( basketno ) %][% IF ( delete_confirmed ) %]Deleted [% ELSE %]New [% END %][% END %]Basket [% basketname|html %] [% IF ( basketno ) %]([% basketno |html %])[% END %] for [% name|html %]
@@ -361,7 +361,7 @@ [% END %]
[% END %] -

[% UNLESS ( basketno ) %]New [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]

+

[% UNLESS ( basketno ) %]New [% END %]Basket [% basketname|html %] ([% basketno |html %]) for [% name|html %]

[% IF ( basketno ) %]
-- 2.39.5